Mounting EFS/NFS to home without root privileges

I filed an issue in the docker-stacks repo, but I’m posting as here as well in case this belongs under support. It does seem to defy categorization to some extent.

Correct me if I’m wrong, but it looks like the script requires root privileges to mount NFS.

I understand that it subsequently deescalates, however, we’re using JupyterHub to provision notebooks on K8s and we want to provide a custom image field in the options form, but there’s no way for us to guarantee deescalation in that context, which is a show-stopper.

Is it possible to mount an EFS volume to the home directory without running the container as root? Has anyone successfully implemented a workaround for this configuration expectation?

Strictly speaking the mount is handled by the container platform (Docker, Kubernetes), not the container itself.

According to
the default EFS owner is root so either it needs to be chowned at run-time which obviously requires admin permissions inside the container, or you set the permissions before it’s mounted.

The above link suggests it might be possible to automate. If you manage to figure it out please share the solution!

Thanks, Manics! Maybe this can simply be handled at the PV / PVC level. I’ll do some experimentation and submit a PR if I find a solution.

It sounds like EFS now has support for dynamically provisioning Kubernetes volumes:

This may make things easier!

We messed around with that and found it cumbersome and high maintenance, then switched to GitHub - kubernetes-sigs/nfs-subdir-external-provisioner: Dynamic sub-dir volume provisioner on a remote NFS server.. Neither solution provides the ability to mount as non-root though. Both have open issues complaining about precisely this. Looking into an Access Point approach that I have high hopes for. If it works, I’ll submit a PR. Worst case scenario, there’s always an initContainer or the pre_spawn_hook, but both implementations seem kind of janky to me.

1 Like

Heads up @manics, I just submitted a PR to z2jh to include documentation that steps through how to use aws-efs-csi-driver along with an EFS Access Point to mount the EFS to the home directory as non-root.

Here’s the link: Add non-root EFS documentation by droctothorpe · Pull Request #2538 · jupyterhub/zero-to-jupyterhub-k8s · GitHub.

1 Like