在kubernetes statefulset中对Elasticsearch数据目录进行chown时权限被拒绝 [英] Permission denied when chown on elasticsearch data directory in kubernetes statefulset
问题描述
希望有人可以帮助我解决似乎是权限错误的问题.我正在尝试使用官方的Elasticsearch Docker镜像启动一个3节点的Elasticsearch集群.当容器启动时,我从/usr/share/elasticsearch/data/nodes上的Elasticsearch收到拒绝访问"错误,因此我尝试添加命令以使Elasticsearch成为/usr/share/elasticsearch/data的所有者.但是当包含chown命令时出现这些错误:
Hoping someone can help me resolve what appears to be a permissions error. I'm trying to start a 3-node elasticsearch cluster using the official elasticsearch docker image. When the container was started I was getting an "access denied" error from elasticsearch on /usr/share/elasticsearch/data/nodes so I tried adding a command to make elasticsearch the owner of /usr/share/elasticsearch/data...but I get these errors when I include the chown command:
chown: cannot read directory '/usr/share/elasticsearch/data/lost+found': Permission denied
chown: changing ownership of '/usr/share/elasticsearch/data': Operation not permitted
这是我的statefulset yaml文件:
Here is my statefulset yaml file:
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: esnode
spec:
serviceName: elasticsearch-transport
replicas: 3
template:
metadata:
labels:
app: evo-pro-cluster
spec:
initContainers:
- name: init-sysctl
image: busybox
imagePullPolicy: IfNotPresent
command: ["sysctl", "-w", "vm.max_map_count=262144"]
securityContext:
privileged: true
containers:
- name: elasticsearch
securityContext:
privileged: true
capabilities:
add:
- IPC_LOCK
- SYS_RESOURCE
command: ["/bin/sh"]
args: ["-c", "chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data"]
image: docker.elastic.co/elasticsearch/elasticsearch:5.6.1
imagePullPolicy: Always
env:
- name: "ES_JAVA_OPTS"
value: "-Xms6g -Xmx6g"
ports:
- containerPort: 9200
name: http
protocol: TCP
- containerPort: 9300
name: transport
protocol: TCP
volumeMounts:
- name: storage
mountPath: /usr/share/elasticsearch/data
- name: config
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml
volumes:
- name: config
configMap:
name: elasticsearch-config
volumeClaimTemplates:
- metadata:
name: storage
annotations:
storageClassName: standard
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 110Gi
推荐答案
此特定docker映像期望数据目录可由uid 2000
写入.您可以通过添加 .spec.securityContext.fsGroup
:
This particular docker image expects the data directory to be writable by uid 2000
. You can tell Kubernetes to chown (sort of) the mount point for your pod by adding .spec.securityContext.fsGroup
:
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: esnode
spec:
...
securityContext:
fsGroup: 2000
(当然,您可以摆脱chown hack或initContainer)
(end of course you can get rid of the chown hack or the initContainer)
fsGroup
:整数:一个特殊的补充组,适用于容器中的所有容器.某些卷类型允许Kubelet更改要由Pod拥有的该卷的所有权:1.拥有的GID将是FSGroup.2.将setgid位置1(在该卷中创建的新文件将由FSGroup拥有)3权限位与rw-rw ----进行或运算.如果未设置,则Kubelet不会修改任何卷的所有权和权限.
fsGroup
: integer: A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume.
这篇关于在kubernetes statefulset中对Elasticsearch数据目录进行chown时权限被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!