search

ibm-messaging / mq-helm

Apache License 2.0
28 stars 39 forks source link

QM Deployed error - Permission denied attemping to access INI file when mount a config map to QM #108

Open ngocHung2000 opened 1 week ago

ngocHung2000 commented 1 week ago

Hi,

Currrently, we tried deploy a QM on AWS EKS we have to a error.

image

You can see values.yaml file when we deploy MQ here:

# © Copyright IBM Corporation 2022
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
license: accept
queueManager:
  nativeha:
    enable: true
    tls:
      secretName: helmsecure
  multiinstance:
    enable: true
  mqscConfigMaps:
  - name: helmsecure
    items:
      - mq.mqsc
  qminiConfigMaps:
    - name: helmsecure
      items:
        - mq.ini

security:
  # It appears that minikube default storageClass does not support
  # fsgroup or  supplementaryGroups correctly. Therefore we need
  # to use an initContainer to reset the ownership of the storage.
  # [https://github.com/kubernetes/minikube/issues/1990](https://l.workplace.com/l.php?u=https%3A%2F%2Fgithub.com%2Fkubernetes%2Fminikube%2Fissues%2F1990&h=AT3Yft0y-3l1RTxMmoYcN5Q7L7AGk_7z5sV3thJ2qMkSjrbDmhEcMV4o2ckRtLMlx7ssEoyYp26zTVDcwJwf-9vYxicRHQtwjm2sir-JeTPMr8xJvM32C0vBGyaFEDZB0lw6m5ah8q1gziLM5w)
  initVolumeAsRoot: true
  fsGroup: 0

livenessProbe:
  failureThreshold: 3
metadata:
  annotations:
    productName: IBM MQ Advanced
    productID: "2f886a3eefbe4ccb89b2adb97c78b9cb"
    productChargedContainers: ""
    productMetric: VIRTUAL_PROCESSOR_CORE

# route:
#   ingress:
#     webconsole:
#       enable: true
#       hostname: qm-03.aws-cp4i-dev.hdbank.com.vn
#       path: /
#       tls:
#         enable: true
#     annotations:
#       [kubernetes.io/ingress.class](https://l.workplace.com/l.php?u=http%3A%2F%2Fkubernetes.io%2Fingress.class&h=AT3Yft0y-3l1RTxMmoYcN5Q7L7AGk_7z5sV3thJ2qMkSjrbDmhEcMV4o2ckRtLMlx7ssEoyYp26zTVDcwJwf-9vYxicRHQtwjm2sir-JeTPMr8xJvM32C0vBGyaFEDZB0lw6m5ah8q1gziLM5w): nginx
#       [nginx.ingress.kubernetes.io/backend-protocol](https://l.workplace.com/l.php?u=http%3A%2F%2Fnginx.ingress.kubernetes.io%2Fbackend-protocol&h=AT3Yft0y-3l1RTxMmoYcN5Q7L7AGk_7z5sV3thJ2qMkSjrbDmhEcMV4o2ckRtLMlx7ssEoyYp26zTVDcwJwf-9vYxicRHQtwjm2sir-JeTPMr8xJvM32C0vBGyaFEDZB0lw6m5ah8q1gziLM5w): HTTPS
#       [nginx.ingress.kubernetes.io/force-ssl-redirect](https://l.workplace.com/l.php?u=http%3A%2F%2Fnginx.ingress.kubernetes.io%2Fforce-ssl-redirect&h=AT3Yft0y-3l1RTxMmoYcN5Q7L7AGk_7z5sV3thJ2qMkSjrbDmhEcMV4o2ckRtLMlx7ssEoyYp26zTVDcwJwf-9vYxicRHQtwjm2sir-JeTPMr8xJvM32C0vBGyaFEDZB0lw6m5ah8q1gziLM5w): "true"

image:
  # repository is the container repository to use
  repository: [377860792308.dkr.ecr.ap-southeast-1.amazonaws.com/ecr-apse1-esb/icr.io/ibm-messaging/mq](http://377860792308.dkr.ecr.ap-southeast-1.amazonaws.com/ecr-apse1-esb/icr.io/ibm-messaging/mq)
  # tag is the tag to use for the container repository
  tag: [9.3.5.0](https://l.workplace.com/l.php?u=http%3A%2F%2F9.3.5.0%2F&h=AT3Yft0y-3l1RTxMmoYcN5Q7L7AGk_7z5sV3thJ2qMkSjrbDmhEcMV4o2ckRtLMlx7ssEoyYp26zTVDcwJwf-9vYxicRHQtwjm2sir-JeTPMr8xJvM32C0vBGyaFEDZB0lw6m5ah8q1gziLM5w)-r1
  # pullSecret is the secret to use when pulling the image from a private registry
  pullSecret:
  # pullPolicy is either IfNotPresent or Always (https://kubernetes.io/docs/concepts/containers/images/)
  pullPolicy: IfNotPresent

persistence:
  # dataPVC section specifies settings for the main Persistent Volume Claim, which is used for data in /var/mqm -> /mnt/mqm
  dataPVC:
    # enabled is whether to use this Persistent Volumes or not
    enable: true
    # name sets part of the name for this Persistent Volume Claim
    name: "data"
    ## size is the minimum size of the Persistent Volume
    size: 2Gi
    ## storageClass to use for this PVCs
    storageClassName: "efs-sc"

  # logPVC section specifies settings for the main Persistent Volume Claim, which is used for log in /mnt/mqm-log
  logPVC:
    # enabled is whether to use this Persistent Volumes or not
    enable: false
    # name sets part of the name for this Persistent Volume Claim
    name: "log"
    ## size is the minimum size of the Persistent Volume
    size: 2Gi
    ## storageClass to use for this PVCs
    storageClassName: "efs-ap"

  # dataPVC section specifies settings for the main Persistent Volume Claim, which is used for data in /mnt/mqm-data
  qmPVC:
    # enabled is whether to use this Persistent Volumes or not
    enable: false
    # name sets part of the name for this Persistent Volume Claim
    name: "qm"
    ## size is the minimum size of the Persistent Volume
    size: 2Gi
    ## storageClass to use for this PVCs
    storageClassName: "efs-ap"
vgavinash commented 1 week ago

@ngocHung2000 since its a volume of type nfs it is creating permissions issue on mq folders. Appropriate fsGroup/SupplementalGroups need to be added. The values will be specific to storage class you use, i.e., for efs-sc/efs-ap in your case. You will have to figure out what are the appropriate values for your storage class.

callumpjackson commented 1 week ago

Another correction is that you shouldn't have both nativeHA and multi-instance enabled:

  nativeha:
    enable: true
    tls:
      secretName: helmsecure
  multiinstance:
    enable: true

Personally I would suggest starting with NativeHA and EBS storage as this is the more straight forward solution.