sachincab
commented
8 years ago Hi again,
I did some more testing and seems more problem like this:
Scenario-1: When I tried to use coreos latest beta version (CoreOS 1122.1.0) which has etcd-wrapper script natively then etcd rkt container is starting properly without any permission denied error.
Scenario-2: When I tried to use CoreOS stable version: CoreOS 1068.10.0 and tried to copy and use same wrapper script then I am getting permission denied error ssl certificates which mounted as volume.
Hence I am not sure the exact problem here. In this case, I would like to use CoreOS stable version if possible.
Else I need to go with Beta version to get rid of permission denied errors.
Please let me know your thoughts on this.
xiang90
ijajmulani
Hi Team,
When trying to run etcd-3.0.7 as rkt container it complain with below error using etcd-wrapper. etcdmain: open /etc/ssl/etcd/kube-etcd-member.pem: permission denied****
I can see that volume seems to be mounted where certs are stored.
run: adding {V:etcd-certs,kind=host,source=/etc/ssl/etcd M:{Volume:etcd-certs Path:/etc/ssl/etcd}}
etcd-wrapper[3036]: run: cannot run as unprivileged userHere is the etcd3.service content:
I tried to run same rkt run command manually on server using root, gives same problem:
/usr/bin/rkt run --debug --mount volume=etcd-certs,target=/etc/ssl/etcd --volume etcd-certs,kind=host,source=/etc/ssl/etcd --trust-keys-from-https --mount volume=systemd-dir,target=/run/systemd/system --volume systemd-dir,kind=host,source=/run/systemd/system,readOnly=true --volume data-dir,kind=host,source=/mnt/data --mount volume=etc-ssl-certs,target=/etc/ssl/certs --volume etc-ssl-certs,kind=host,source=/etc/ssl/certs --stage1-from-dir=stage1-fly.aci coreos.com/etcd:v3.0.7 --user=232 --exec=/etcd -- --election-timeout=1200 --advertise-client-urls=https://172.23.1.10:2379 --initial-advertise-peer-urls=https://172.23.1.10:2380 --initial-cluster=etcd1=https://172.23.1.10:2380,etcd2=https://172.23.1.11:2380,etcd3=https://172.23.1.12:2380 --initial-cluster-state=new --initial-cluster-token=k8s_etcd --listen-client-urls=https://172.23.1.10:2379,https://127.0.0.1:2379 --listen-peer-urls=https://172.23.1.10:2380 --name=etcd1 --peer-trusted-ca-file=/etc/ssl/etcd/kube-ca.pem --peer-cert-file=/etc/ssl/etcd/kube-etcd-member.pem --peer-key-file=/etc/ssl/etcd/kube-etcd-member-key.pem --peer-client-cert-auth=true --trusted-ca-file=/etc/ssl/etcd/kube-ca.pem --cert-file=/etc/ssl/etcd/kube-etcd.pem --key-file=/etc/ssl/etcd/kube-etcd-key.pem --client-cert-auth=true image: using image from file /usr/lib64/rkt/stage1-images/stage1-fly.aci image: using image from local store for image name coreos.com/etcd:v3.0.7 stage0: Preparing stage1 stage0: Writing image manifest stage0: Loading image sha512-f7e8c8ac24b6b995987bc4362beeeaacd859c0aaa8b6258655d79d37605d0905 stage0: Writing image manifest stage0: Writing pod manifest stage0: Setting up stage1 stage0: Wrote filesystem to /var/lib/rkt/pods/run/d07430ed-62ca-4d2d-bd85-8d0783a54e1f stage0: Pivoting to filesystem /var/lib/rkt/pods/run/d07430ed-62ca-4d2d-bd85-8d0783a54e1f stage0: Execing /run run: adding {V:,kind= M:{Volume:etcd-certs Path:/etc/ssl/etcd}} run: adding {V:,kind= M:{Volume:systemd-dir Path:/run/systemd/system}} run: adding {V:,kind= M:{Volume:etc-ssl-certs Path:/etc/ssl/certs}} run: adding {V:,kind= M:{Volume:data-dir Path:/data-dir}} run: adding {V:etcd-certs,kind=host,source=/etc/ssl/etcd M:{Volume:etcd-certs Path:/etc/ssl/etcd}} run: adding {V:systemd-dir,kind=host,source=/run/systemd/system,readOnly=true M:{Volume:systemd-dir Path:/run/systemd/system}} run: adding {V:data-dir,kind=host,source=/mnt/data M:{Volume:data-dir Path:/data-dir}} run: adding {V:etc-ssl-certs,kind=host,source=/etc/ssl/certs M:{Volume:etc-ssl-certs Path:/etc/ssl/certs}} run: adding {V:data-dir,kind=host,source=/mnt/data,readOnly=false M:{Volume:data-dir Path:/data-dir}} run: chroot to "stage1/rootfs/opt/stage2/etcd/rootfs" run: setting uid 232 gid 0 run: execing ["/etcd" "--election-timeout=1200" "--advertise-client-urls=https://172.23.1.10:2379" "--initial-advertise-peer-urls=https://172.23.1.10:2380" "--initial-cluster=etcd1=https://172.23.1.10:2380,etcd2=https://172.23.1.11:2380,etcd3=https://172.23.1.12:2380" "--initial-cluster-state=new" "--initial-cluster-token=k8s_etcd" "--listen-client-urls=https://172.23.1.10:2379,https://127.0.0.1:2379" "--listen-peer-urls=https://172.23.1.10:2380" "--name=etcd1" "--peer-trusted-ca-file=/etc/ssl/etcd/kube-ca.pem" "--peer-cert-file=/etc/ssl/etcd/kube-etcd-member.pem" "--peer-key-file=/etc/ssl/etcd/kube-etcd-member-key.pem" "--peer-client-cert-auth=true" "--trusted-ca-file=/etc/ssl/etcd/kube-ca.pem" "--cert-file=/etc/ssl/etcd/kube-etcd.pem" "--key-file=/etc/ssl/etcd/kube-etcd-key.pem" "--client-cert-auth=true"] in "stage1/rootfs/opt/stage2/etcd/rootfs" 2016-09-01 12:22:14.146834 I | flags: recognized and used environment variable ETCD_DATA_DIR=/data-dir 2016-09-01 12:22:14.148874 I | etcdmain: etcd Version: 3.0.7 2016-09-01 12:22:14.148956 I | etcdmain: Git SHA: 5695120 2016-09-01 12:22:14.149045 I | etcdmain: Go Version: go1.6.3 2016-09-01 12:22:14.149123 I | etcdmain: Go OS/Arch: linux/amd64 2016-09-01 12:22:14.149206 I | etcdmain: setting maximum number of CPUs to 1, total number of available CPUs is 1 2016-09-01 12:22:14.149324 W | etcdmain: found invalid file/dir lost+found under data dir /data-dir (Ignore this if you are upgrading etcd) 2016-09-01 12:22:14.149410 I | etcdmain: peerTLS: cert = /etc/ssl/etcd/kube-etcd-member.pem, key = /etc/ssl/etcd/kube-etcd-member-key.pem, ca = , trusted-ca = /etc/ssl/etcd/kube-ca.pem, client-cert-auth = true
2016-09-01 12:22:14.149488 C | etcdmain: open /etc/ssl/etcd/kube-etcd-member.pem: permission denied
Please let me your inputs on why it complain with permission denied error for SSL certs.
Thanks!