Closed MartinEmrich closed 1 year ago
github-actions[bot]
commented
1 year ago This issue has been automatically marked as stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days
github-actions[bot]
commented
1 year ago This issue was automatically closed because of stale in 30 days
MartinEmrich
commented
1 year ago Workaround: use an initcontainer to chmod the directories, e.g:
...
initContainers:
- name: chmod-tempdirs
image: fluent/fluentd-kubernetes-daemonset:v1.16-debian-graylog-1
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
# runAsNonRoot: true
capabilities:
drop:
- all
command: "/bin/sh"
args:
- "-c"
- "chmod o-rwx /home/fluent /tmp"
volumeMounts:
- name: tmp
mountPath: /tmp
- name: homefluent
mountPath: /home/fluent
...
fluentd expects to have a "secure" temporary directory to write its lockfile. This means that it is eiter not world-writable, or has the sticky bit (t) set.
Running in Kubernetes with
readOnlyFilesystemon, one has to explicitly provide that directory (e.g./tmp) using a volumeMount. But that mount is world-writable and has no sticky bit set, so fluentd crashes with this error:Fluentd itself apparently does not consider this a bug (see https://github.com/fluent/fluentd/issues/3924), in non-containerized environments, that behaviour would of couse be desireable.
This could possibly be fixed in the
entrypoint.shby addingchmod +t /tmpbefore executing fluentd?