<div dir="auto">I force my users to runAsUser their user ID in order to access storage ( enforced by OPA policy) and maintain POSIX complaince. I put the responsibility of being able to run as non-root and the container creator.<div dir="auto">I feel like this is growing as standard to run as non-root for things that aren't system level operators in k8s.</div><div dir="auto">If they aren't accessing storage, I don't care what UID they run as.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jun 3, 2022, 5:46 PM Lukas Hejtmanek <<a href="mailto:xhejtman@ics.muni.cz">xhejtman@ics.muni.cz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
nice to see that only file set can be exported now.<br>
<br>
We are running Kubernetes platform together with Spectrum Scale. Beside K8s,<br>
we have also HPC clusters using GPFS/NFS exports. <br>
<br>
We would like to integrate storage from HPC to K8s and vice versa. <br>
<br>
Currently, this is a problem because in K8s almost all users are using UID<br>
1000 for running pods while in HPC they have different UIDs. <br>
<br>
As far as I know, there is no possibility to remap UIDs between K8s and HPC on<br>
the same Spectrum Scale file system. Running pods with different UIDs is hard <br>
option as many containers assume, they run exactly as UID 1000.<br>
<br>
What do you think, is there anything that can be done here?<br>
<br>
On Fri, Jun 03, 2022 at 08:19:25PM +0000, Christopher Maestas wrote:<br>
> Hello everyone!<br>
> <br>
> I know I spoke to some of you at ISC 2022 this week about some of these features. They are officially out!<br>
> <br>
> Check out: <a href="https://www.ibm.com/docs/en/spectrum-scale/5.1.4?topic=summary-changes" rel="noreferrer noreferrer" target="_blank">https://www.ibm.com/docs/en/spectrum-scale/5.1.4?topic=summary-changes</a><br>
> Summary of changes<<a href="https://www.ibm.com/docs/en/spectrum-scale/5.1.4?topic=summary-changes" rel="noreferrer noreferrer" target="_blank">https://www.ibm.com/docs/en/spectrum-scale/5.1.4?topic=summary-changes</a>><br>
> This topic summarizes changes to the IBM Spectrum Scale licensed program and the IBM Spectrum Scale library. Within each topic, these markers ( ) surrounding text or illustrations indicate technical changes or additions that are made to the previous edition of the information.<br>
> <a href="http://www.ibm.com" rel="noreferrer noreferrer" target="_blank">www.ibm.com</a><br>
> <br>
> Particularly:<br>
> ---<br>
> <br>
> Control fileset access for remote clusters<br>
> Administrators can now configure access to remote cluster nodes for only a subset of filesets instead of the entire file system. For more information, see Fileset access control for remote clusters<<a href="https://www.ibm.com/docs/en/STXKQY_5.1.4/com.ibm.spectrum.scale.v5r10.doc/bl1adv_fielsetaccesscontrol.html" rel="noreferrer noreferrer" target="_blank">https://www.ibm.com/docs/en/STXKQY_5.1.4/com.ibm.spectrum.scale.v5r10.doc/bl1adv_fielsetaccesscontrol.html</a>>.<br>
> <br>
> Increase in the number of independent filesets<br>
> In IBM Spectrum Scale the maximum number of independent filesets is increased from 1000 to 3000.<br>
> ---<br>
> <br>
> We'll talk further about this at the Scale user group in a few weeks in London!<br>
> <br>
> -Chris<br>
<br>
> _______________________________________________<br>
> gpfsug-discuss mailing list<br>
> gpfsug-discuss at <a href="http://gpfsug.org" rel="noreferrer noreferrer" target="_blank">gpfsug.org</a><br>
> <a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org" rel="noreferrer noreferrer" target="_blank">http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org</a><br>
<br>
<br>
-- <br>
Lukáš Hejtmánek<br>
<br>
Linux Administrator only because<br>
Full Time Multitasking Ninja <br>
is not an official job title<br>
<br>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at <a href="http://gpfsug.org" rel="noreferrer noreferrer" target="_blank">gpfsug.org</a><br>
<a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org" rel="noreferrer noreferrer" target="_blank">http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org</a><br>
</blockquote></div>