search

vmware-archive / purser

Kubernetes Cloud Native Applications visibility
Other
170 stars 43 forks source link

facing issues deploying purser-ui on OpenShift #272

Open canit00 opened 5 years ago

canit00 commented 5 years ago

Attempting to deploy purser on OpenShift facing one of many permission issues in particular: kreddyj/purser:ui-1.0.2

Permission errors received for dirs: /var/cache/nginx/ and /var/run/

oc logs purser-ui-76b56779b5-5xjkx
2019/10/20 16:34:02 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2019/10/20 16:34:02 [emerg] 1#1: open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
oc logs purser-ui-96d5cdd46-dgpwb
2019/10/08 16:49:14 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2019/10/08 16:49:14 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

As a temporary workaround - I created a emptyDir volume and mounted it for the said dirs.

Working deployment:

apiVersion: v1
kind: Service
metadata:
  name: purser-ui
  labels:
    run: purser-ui
    app: purser
  annotations:
    description: "Exposes and load balances purser-ui"
spec:
  selector:
    app: purser
    run: purser-ui
  ports:
  - protocol: TCP
    port: 80
    targetPort: 4200
  type: ClusterIP
---
kind: Route
apiVersion: v1
metadata:
  name: purser-ui
  labels:
    app: purser
    run: purser-ui
  annotations:
    template.openshift.io/expose-uri: "http://{{.spec.host}}"
spec:
  to:
    kind: Service
    name: purser-ui
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: purser-ui
spec:
  selector:
    matchLabels:
      app: purser
      run: purser-ui
  replicas: 1
  template:
    metadata:
      labels:
        app: purser
        run: purser-ui
    spec:
      containers:
      - name: purser-ui
        image: kreddyj/purser:ui-1.0.2
        imagePullPolicy: Always
        resources:
          limits:
            memory: 1200Mi
            cpu: 500m
          requests:
            memory: 1200Mi
            cpu: 500m
        ports:
        - containerPort: 4200
        volumeMounts:
        - mountPath: /var/cache/nginx/
          name: nginx
        - mountPath: /var/run/
          name: nginx
      volumes:
      - emptyDir: {}
        name: nginx

However, using emptyDir is not following best practices. In order to make this work without this I would need to add a new layer to the said image following Support Arbitrary User IDs - but I'd prefer the authors to provide a working image when deploying to OpenShift.

In addition, when deploying to OpenShift the only times one would consider using a nodePort is when ingress-traffic is non HTTP/HTTPS.

When the pod is finally up and running pod's user ID: $ id uid=1000140000 gid=0(root) groups=0(root),1000140000

Pod description:

oc describe po purser-ui-84697b94fd-7jhsm
Name:               purser-ui-84697b94fd-7jhsm
Namespace:          purser
Priority:           0
PriorityClassName:  <none>
Node:               aio.domain.us/192.168.122.99
Start Time:         Sun, 20 Oct 2019 18:00:17 -0400
Labels:             app=purser
                    pod-template-hash=4025365098
                    run=purser-ui
Annotations:        openshift.io/scc=restricted
Status:             Running
IP:                 10.128.1.18
Controlled By:      ReplicaSet/purser-ui-84697b94fd
Containers:
  purser-ui:
    Container ID:   docker://462744cfe02d551bd1f7d6e1477d0e6b123c7ec4b451ea1917c7495a5400956f
    Image:          kreddyj/purser:ui-1.0.2
    Image ID:       docker-pullable://docker.io/kreddyj/purser@sha256:d417443ffbaf4ebc146c68f13f0a278d38955b4c8f69930caf6f72c1908c617f
    Port:           4200/TCP
    Host Port:      0/TCP
    State:          Running
      Started:      Sun, 20 Oct 2019 18:00:20 -0400
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     500m
      memory:  1200Mi
    Requests:
      cpu:        500m
      memory:     1200Mi
    Environment:  <none>
    Mounts:
      /var/cache/nginx/ from nginx (rw)
      /var/run/ from nginx (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-db6t2 (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:
  nginx:
    Type:    EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:  
  default-token-db6t2:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-db6t2
    Optional:    false
QoS Class:       Guaranteed
Node-Selectors:  node-role.kubernetes.io/compute=true
Tolerations:     node.kubernetes.io/memory-pressure:NoSchedule
Events:
  Type    Reason     Age   From                     Message
  ----    ------     ----  ----                     -------
  Normal  Scheduled  7m    default-scheduler        Successfully assigned purser/purser-ui-84697b94fd-7jhsm to aio.domain.us
  Normal  Pulled     7m    kubelet, aio.domain.us  Container image "kreddyj/purser:ui-1.0.2" already present on machine
  Normal  Created    7m    kubelet, aio.domain.us  Created container
  Normal  Started    7m    kubelet, aio.domain.us  Started container

Still trying to understand the Filter drop-down under Capacity - as I am not sure if it is not working or I need more time to play around with it.

OpenShift version:

oc v3.11.135
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://aio.domain.us:8443
openshift v3.11.135
kubernetes v1.11.0+d4cacc0