如何在Kubernetes中的elasticsearch数据目录上执行chown 1000:1000 [英] How to do chown 1000:1000 on the elasticsearch data directory in Kubernetes
问题描述
我遇到无法创建节点环境的错误,并带有Elasticsearch Docker镜像:
I'm getting the Failed to created node environment error with an elasticsearch docker image:
[unknown] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: Failed to create node environment
elasticsearch数据的持久量为 / mnt / volume / elasticsearch-data 。
The persistent volume for elasticsearch data is at /mnt/volume/elasticsearch-data.
我能够通过 ssh 进入远程计算机并运行 chown来解决此问题1000:1000 / mnt / volume / elasticsearch-data 。但我不想手动进行。如何使用 deployment.yaml 文件解决此特权问题?
I'm able to solve this problem by ssh into the remote machine and run chown 1000:1000 /mnt/volume/elasticsearch-data. But I don't want to do it manually. How can I solve this privilege issue using the deployment.yaml file?
我已经阅读过使用 fsGroup:在应该可以解决此问题,但对我不起作用。 securityContext 中的1000
I've read that using fsGroup: 1000 in securityContext should solve the problem, but it isn't working for me.
deployment.yaml:
deployment.yaml:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: elasticsearch
spec:
replicas: 1
template:
metadata:
labels:
app: elasticsearch
spec:
containers:
- name: elasticsearch
image: me-name/elasticsearch:6.7
imagePullPolicy: "IfNotPresent"
ports:
- containerPort: 9200
envFrom:
- configMapRef:
name: elasticsearch-config
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: elasticsearch-volume
securityContext:
runAsUser: 1000
fsGroup: 1000
capabilities:
add:
- IPC_LOCK
- SYS_RESOURCE
volumes:
- name: elasticsearch-volume
persistentVolumeClaim:
claimName: elasticsearch-pv-claim
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "sysctl -w vm.max_map_count=262144"]
storage.yaml:
storage.yaml:
kind: PersistentVolume
apiVersion: v1
metadata:
name: elasticsearch-pv-volume
labels:
type: local
app: elasticsearch
spec:
storageClassName: manual
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
hostPath:
path: "/mnt/volume/elasticsearch-data"
persistentVolumeReclaimPolicy: Delete
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: elasticsearch-pv-claim
labels:
app: elasticsearch
spec:
storageClassName: manual
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
推荐答案
似乎在
There seems to be on open bug regarding permissions hostPath volumes. To work around this issue you should create an initContainer initially setting the proper permissions:
piVersion: extensions/v1beta1
kind: Deployment
metadata:
name: elasticsearch
spec:
replicas: 1
template:
metadata:
labels:
app: elasticsearch
spec:
initContainers:
- name: set-permissions
image: registry.hub.docker.com/library/busybox:latest
command: ['sh', '-c', 'mkdir -p /usr/share/elasticsearch/data && chown 1000:1000 /usr/share/elasticsearch/data' ]
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: elasticsearch-volume
containers:
- name: elasticsearch
image: me-name/elasticsearch:6.7
imagePullPolicy: "IfNotPresent"
ports:
- containerPort: 9200
envFrom:
- configMapRef:
name: elasticsearch-config
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: elasticsearch-volume
securityContext:
runAsUser: 1000
fsGroup: 1000
capabilities:
add:
- IPC_LOCK
- SYS_RESOURCE
volumes:
- name: elasticsearch-volume
persistentVolumeClaim:
claimName: elasticsearch-pv-claim
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "sysctl -w vm.max_map_count=262144"]
通过设置 fsGroup ,您处在正确的轨道上您当前正在做的是将 user 设置为 1000 并通过访问 group <$ c $来装入卷c> 1000 。您应该更改的是使用 runAsGroup:1000 而不是 runAsUser:1000 。
You are on the right track by setting the fsGroup but what you are currently doing is setting the user to 1000 and mounting the volume with access to the group 1000. What you should change is to use runAsGroup: 1000 instead of runAsUser: 1000.
这篇关于如何在Kubernetes中的elasticsearch数据目录上执行chown 1000:1000的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
