docs: Add instructions for NFS user mapping

DSD-DBS · Sep 28, 2023 · 249e781 · 249e781
1 parent e9a8cde
commit 249e781
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/docs/user/docs/installation.md b/docs/user/docs/installation.md
@@ -63,8 +63,26 @@ in the future.
         This can be exploited by a user uploading so much data to their workspace that
         the server goes out of disk storage.
 
-        Please follow the official instructions: <https://microk8s.io/docs/nfs> <br />
-        Make sure to update the storageClass in the `values.yaml` in step 6 to `nfs-csi`.
+        Please follow the official instructions: <https://microk8s.io/docs/nfs>.
+
+        Make sure to update the `backend.storageClassName` in the `values.yaml` in step 6 to `nfs-csi`.
+        All new Jupyter file-shares and personal workspaces will use the new storage class then.
+
+        !!! warning "User mapping for non-root containers"
+            If you want to run the session containers as non-root, you can set the `runAsUser` value in the `podSecurityContext` of the values.yaml.
+            In the default configuration, `runAsUser` is set to `1004370000`.
+
+            Unfortunately our setup NFS does not respect the `fsGroup` option. Therefore, all volumes are mounted with `nobody:nogroup` per default.
+            This will lead to permission errors and crashing session containers.
+
+            To fix it, change the `/etc/exports` file and modify the options for the create file-share to:
+            ```
+            (rw,sync,no_subtree_check,all_squash,anonuid=<user-id-of-session-containers>,anongid=0)
+            ```
+
+            Replace `<user-id-of-session-containers>` with the value of the `runAsUser` value of the Kubernetes Pod security context.
+
+            Then, apply the new configuration by running `exportfs -ra`.
 
 === "k3d"