mounting overlayfs within kubernetes POD - "cannot mount overlay read-only"

Question

I try to "manually" mount an overlayfs within a Kubernetes POD, to create a copy-on-write layer on top of a shared persistent volume.

(For running a read-only postgres - postgres cannot run on a read-only filesystem because of locking.)

So I created a volume

spec:
  volumes:
    - name: tempfs-volume
      emptyDir:
        medium: Memory
        sizeLimit: "1Gi"

and mount it under /opt/overlay:

spec:
  containers:
    - volumeMounts:
        - mountPath: /opt/pgdata_readonly
          name: my-postgres-volume
        - mountPath: /opt/overlay
          name: tempfs-volume```
When I create the directories mentioned in the command below and do

mount -t overlay -o lowerdir=/opt/pgdata_readonly,upperdir=/opt/overlay/upper,workdir=/opt/overlay/work overlay /opt/overlay/target


I get the error `mount: /opt/overlay/target: cannot mount overlay read-only.`
I googled for quite a while and could not find a hint what could possibly go wrong here.
This is in the Google cloud.

score 1 · Answer 1 · answered Aug 08 '21 at 08:33

After a while I found out that I need to declare the container to have a privileged security context. Suddenly it works!

spec:
  containers:
    - securityContext:
        privileged: true

There is also an article showing how to have a two-layered setup where the container that hosts the actual application does not need to be privileged: https://itnext.io/using-overlay-mounts-with-kubernetes-960375c05959

mounting overlayfs within kubernetes POD - "cannot mount overlay read-only"

1 Answers1