之前佈署 Elasticsearch 到 K8S 並使用 hostPath 的 Volume 遇到了 failed to obtain node locks 問題如下:
看起來問題像是Elasticsearch 無法在 /usr/share/elasticsearch/data 下建立檔案。 上網查詢到下列紅色字體的方法可以解決權限問題:
如果Volume是使用 hostpath,則 initContainer可用chown 改變路徑的Volume:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: elasticsearch
spec:
serviceName: "elasticsearch"
replicas: 1
selector:
matchLabels:
app: elasticsearch
template:
metadata:
labels:
app: elasticsearch
spec:
initContainers:
- name: set-permissions
image: registry.hub.docker.com/library/busybox:latest
command: ['sh', '-c', 'mkdir -p /usr/share/elasticsearch/data && chown 1000:1000 /usr/share/elasticsearch/data' ]
volumeMounts:
- name: data
mountPath: /usr/share/elasticsearch/data
containers:
- name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:6.6.1
env:
- name: discovery.type
value: single-node
ports:
- containerPort: 9200
name: client
- containerPort: 9300
name: nodes
volumeMounts:
- name: data
mountPath: /usr/share/elasticsearch/data
volumes:
- name: data
hostPath:
path: /indexdata
---
apiVersion: v1
kind: Service
metadata:
name: elasticsearch
labels:
service: elasticsearch
spec:
ports:
- port: 9200
name: client
- port: 9300
name: nodes
type: NodePort
selector:
app: elasticsearch
細部追查,看起來在主機上的 /indexdata 原本的權限是 root:root,但是啟動後變成了 danny:danny
應該就是紅色字體的 InitContainer啟動後做了下列動作( userid 1000 是 danny )
mkdir -p /usr/share/elasticsearch/data && chown 1000:1000 /usr/share/elasticsearch/data
Root Cause: 當 pod 中的容器以用戶身份運行root並且需要對已掛載卷的寫入權限時,這是必要的。
延伸閱讀: Kubernetes: how to set VolumeMount user group and file permissions
No comments:
Post a Comment