I filed an issue in the docker-stacks repo, but I’m posting as here as well in case this belongs under support. It does seem to defy categorization to some extent.
Correct me if I’m wrong, but it looks like the start.sh script requires root privileges to mount NFS.
I understand that it subsequently deescalates, however, we’re using JupyterHub to provision notebooks on K8s and we want to provide a custom image field in the options form, but there’s no way for us to guarantee deescalation in that context, which is a show-stopper.
Is it possible to mount an EFS volume to the home directory without running the container as root? Has anyone successfully implemented a workaround for this configuration expectation?
We messed around with that and found it cumbersome and high maintenance, then switched to GitHub - kubernetes-sigs/nfs-subdir-external-provisioner: Dynamic sub-dir volume provisioner on a remote NFS server.. Neither solution provides the ability to mount as non-root though. Both have open issues complaining about precisely this. Looking into an Access Point approach that I have high hopes for. If it works, I’ll submit a PR. Worst case scenario, there’s always an initContainer or the pre_spawn_hook, but both implementations seem kind of janky to me.
Heads up @manics, I just submitted a PR to z2jh to include documentation that steps through how to use aws-efs-csi-driver along with an EFS Access Point to mount the EFS to the home directory as non-root.