search

cryostatio / cryostat-db

Apache License 2.0
0 stars 2 forks source link

[Bug] Database does not start due to `Permission denied` #47

Open grzesuav opened 2 months ago

grzesuav commented 2 months ago

Current Behavior

I added pvc with following settings


pvc:
  ## @param pvc.enabled Specify whether to use persistentVolumeClaim or EmptyDir storage
  enabled: true
  ## @param pvc.annotations [object] Annotations to add to the persistentVolumeClaim
  annotations: {}
  ## @param pvc.storage Storage size to request for the persistentVolumeClaim
  storage: 5Gi
  ## @param pvc.accessModes Access mode for the persistentVolumeClaim. See: [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)
  accessModes:
    - ReadWriteOnce
  ## @param pvc.selector [object] Selector for the persistentVolumeClaim. See: [Selector](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)
  selector: {}
  ## @param pvc.storageClassName [string, nullable] The name of the StorageClass for the persistentVolumeClaim. See: [Class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims)
  # storageClassName:
  storageClassName: "managed-csi"

and cryostat does not start, issue is with cryostat-db container - 

❯ k logs cryostat-dbb678dd9-g7lzd -c cryostat-db
mkdir: cannot create directory '/var/lib/pgsql/data/userdata': Permission denied

in the deployment

      volumes:
      - name: cryostat
        persistentVolumeClaim:
          claimName: cryostat

and in cryostat-db container

        volumeMounts:
        - mountPath: /var/lib/pgsql/data
          name: cryostat
          subPath: postgres

I believe some file ownership should be changed ?

Expected Behavior

Cryostat start succesfully

Steps To Reproduce

No response

Environment

- OS: 
- Environment: 
- Version:

Anything else?

No response

andrewazores commented 2 months ago

Thanks @grzesuav , we just noticed this internally at the end of last week as well. It looks like a package change on the container base image side.

In the meantime, you can try rolling back to an earlier database container version:

https://quay.io/repository/cryostat/cryostat-db?tab=tags

ex.

$ helm install cryostat --set pvc.enabled=true --set db.image.tag=2024-08-19 ./charts/cryostat/
andrewazores commented 2 months ago

Sorry, actually the bug that my colleague spotted last week was in the downstream equivalent container build, which works a bit differently from the upstream one. The root cause is therefore different and isn't actually the same bug, it's just that both manifest as '/var/lib/pgsql/data/userdata': Permission denied.

For this case, maybe it has to do with the security context and fsGroup of the container?

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

https://github.com/cryostatio/cryostat-helm/blob/61cf6a015f182c333b87a2ed385fc787746aee10/charts/cryostat/values.yaml#L93