-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[backend] Unable to create directory in Minio when using Artifacts: Permission denied #10397
Comments
Please use the final 1.8 image, not jupyter-pytorch-full:v1.8.0-rc.0 and join the biweekly KFP meeting to discuss this. |
You should also try to update from KFP 2.0.3 to 2.0.5 first. |
Thans for the reply @juliusvonkohout . I write here my findings:
For any readers, I did not understand the explanation of #6530 but:
|
@rimolive this might be something to track for 1.9 |
/assign @juliusvonkohout |
We have an open PR for that #10538. |
/assign @gregsheremeta |
@rimolive: GitHub didn't allow me to assign the following users: gregsheremeta. Note that only kubeflow members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it. |
/reopen |
@majuss: You can't reopen an issue/PR unless you authored it or you are a collaborator. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/reopen |
@rimolive: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This issue is actually because Kubeflow Pipelines requires that component containers run as root, the container you have chosen There is a PR to fix this issue by mounting @chensun @HumairAK @Tomcli we definitely need to prioritize fixing this issue, because it's pretty bad to have a hard requirement on root container images. |
I also want to say that the lack of That is, if users could set the Pod |
We're running into this now. All our end user containers run as non-root to optimize security. This is a pretty universal expectation at any security sensitive company. |
For anyone else running into this, we found a short-term workaround using kyverno that's not contingent on this PR being merged. Huge shout out to @moorthy156 for implementing it lightning fast. Just update the apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-volume-mount-pipelineroot
spec:
background: true
failurePolicy: Ignore
rules:
- match:
any:
- resources:
kinds:
- Pod
namespaceSelector:
matchLabels:
app.kubernetes.io/part-of: "kubeflow-profile"
selector:
matchExpressions:
- key: pipelines.kubeflow.org/v2_component
operator: In
values:
- "true"
mutate:
patchStrategicMerge:
spec:
volumes:
- name: pipelineroot
containers:
- (name): main | wait
volumeMounts:
- mountPath: /s3
name: pipelineroot
env:
- name: AWS_REGION
value: us-east-1
name: add-volume-mount-pipelineroot
preconditions:
all:
- key: '{{ request.operation }}'
operator: Equals
value: CREATE |
Just wanted to update everyone that there is a new PR being worked on that will fix this issue: |
@chensun @james-jwu @zijianjoy can we please cherry-pick #10857 into the 2.2 branch, and cut a 2.2.1 release with this fix? This is a very important issue, as it prevents non-root containers from working in pipeline steps, which stops many people adopting Kubeflow Pipelines. |
We can also do a follow up Kubeflow 1.9.1, but one way or the other we need a new release of KFP. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This should have been resolved by #10857 in 2.3.0 /close |
@thesuperzapper: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi Developers
I have tried to create a simple pipeline using and transfering data using "built-in"
artifacts
approach without success.Difficult to say what is hapenning but I have found similar issues in other threads.
Please, if you know a manual patch, let us know. I see
artifacts
a core solution/approach.cc: @juliusvonkohout , @chensun
I am aware that there are some issues related, but I do not see a final solution or alternative patch. See: #6530 , kubeflow/manifests#2573, #7629
Environment
How did you deploy Kubeflow Pipelines (KFP): https://github.com/kubeflow/manifests latest tag: v.1.8.0
KFP version:
According to the
Readme
from manifest repo: KFP 2.0.3KFP SDK version: 2.6.0
Steps to reproduce
I get a
permission denied
error when usingArtifacts
.Snippet of code:
Associated logs:
failed to execute component: unable to create directory "/minio/mlpipeline/v2/artifacts/mnist/43f760f9-b638-4129-87fe-602e24076beb/download-data" for output artifact "test_path": mkdir /minio: permission denied
Expected result
Work without issus
Materials and Reference
Impacted by this bug? Give it a 👍.
The text was updated successfully, but these errors were encountered: