Permissions problem with pvc block device

apache / solr-operator

Official Kubernetes operator for Apache Solr

https://solr.apache.org/operator

Apache License 2.0

243 stars 111 forks source link

Permissions problem with pvc block device #523

Closed necipakca closed 1 year ago

necipakca commented 1 year ago

When I tried to start solrcloud on our k8s system with Huawei CSI pvc. Pod can not start due to file system permissions problem. It can not write files to the data volume.

I can solve the issue with initContainer ;

  initContainers:
    - name: busybox
      image: busybox:1.28.0-glibc
      command:
        - "/bin/sh"
        - "-c"
        - "mkdir -p /var/solr/data && chown -R 8983:8983 /var/solr/data && chmod -R 770 /var/solr/"
      volumeMounts:
        - mountPath: /var/solr/data
          name: data
      securityContext:
        runAsNonRoot: false
        runAsUser: 0
        runAsGroup: 0

HoustonPutman commented 1 year ago

Are you using the default Solr image? because /var/solr should hopefully already come with those permissions...

necipakca commented 1 year ago

Current Images : apache/solr-operator:v0.6.0 solr:8.11.2

Permissions are without the initContainer like ;

ls -lah /var/solr/

drwxr-xr-x 3 root root 4.0K Feb 13 18:08 . drwxr-xr-x 1 root root 4.0K Feb 13 18:08 .. drwxr-xr-x 3 root root 4.0K Feb 13 18:08 data

ls -lah /var/solr/data drwxr-xr-x 3 root root 4.0K Feb 13 18:08 . drwxr-xr-x 3 root root 4.0K Feb 13 18:08 .. drwx------ 2 root root 16.0K Feb 13 18:08 lost+found -rw-r-xr-- 1 root root 979 Feb 13 18:08 solr.xml

May be it can be related with our block storage CSI plugin, it comes always with root:root at default when it mounted.

HoustonPutman commented 1 year ago

May be it can be related with our block storage CSI plugin, it comes always with root:root at default when it mounted.

Yeah that seems like an issue for sure.

It looks like the new SecurityContext feature will allow for better changing of permissions for volumes: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods

And the Huawei CSI Driver does not implement the VOLUME_MOUNT_GROUP NodeServiceCapability which seems to be a good thing.

So maybe we just need to use the new SecurityContext feature, though it will be hard for me to test this.

HoustonPutman commented 1 year ago

Actually I was misremembering and we already use securityContext.fsGroup, so this should be behaving correctly...

Have you tried this? https://github.com/Huawei/eSDK_K8S_Plugin/issues/68#issuecomment-1164104357

necipakca commented 1 year ago

Have you tried this? Huawei/eSDK_K8S_Plugin#68 (comment)

Yes this solved the problem 👍

After created the csidriver resource current permissions like ;

solr@solr-solrcloud-0:/var/solr$ ls -lah total 36K drwxrwx---. 4 solr root 4.0K Mar 8 05:51 . drwxr-xr-x. 1 root root 4.0K Feb 1 22:21 .. drwxrwsr-x. 5 root solr 4.0K Mar 8 05:52 data -rw-rw----. 1 solr root 3.5K Feb 1 22:21 log4j2.xml drwxrwx---. 2 solr root 4.0K Mar 8 05:51 logs

I am kindly closing the issue. Thanks a lot 👍