1. 首页
  2. 问题
  3. 在kubernetes statefulset中对Elasticsearch数据目录进行chown时权限被拒绝
一尘不染

在kubernetes statefulset中对Elasticsearch数据目录进行chown时权限被拒绝

elasticsearch

希望有人可以帮助我解决似乎是权限错误的问题。我正在尝试使用官方的Elasticsearch
Docker镜像启动一个3节点的Elasticsearch集群。当容器启动时,我从/ usr / share / elasticsearch / data
/ nodes上的Elasticsearch收到“拒绝访问”错误,因此我尝试添加命令以使Elasticsearch成为/ usr / share /
elasticsearch / data的所有者。但是当我包含chown命令时,我得到了这些错误:

chown: cannot read directory '/usr/share/elasticsearch/data/lost+found': Permission denied
chown: changing ownership of '/usr/share/elasticsearch/data': Operation not permitted

这是我的statefulset yaml文件:

apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  name: esnode
spec:
  serviceName: elasticsearch-transport
  replicas: 3
  template:
    metadata:
      labels:
        app: evo-pro-cluster
    spec:
      initContainers:
      - name: init-sysctl
        image: busybox
        imagePullPolicy: IfNotPresent
        command: ["sysctl", "-w", "vm.max_map_count=262144"]
        securityContext:
          privileged: true
      containers:
      - name: elasticsearch
        securityContext:
          privileged: true
          capabilities:
            add:
            - IPC_LOCK
            - SYS_RESOURCE
        command: ["/bin/sh"]
        args: ["-c", "chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data"]
        image: docker.elastic.co/elasticsearch/elasticsearch:5.6.1
        imagePullPolicy: Always
        env:
        - name: "ES_JAVA_OPTS"
          value: "-Xms6g -Xmx6g"
        ports:
        - containerPort: 9200
          name: http
          protocol: TCP
        - containerPort: 9300
          name: transport
          protocol: TCP
        volumeMounts:
        - name: storage
          mountPath: /usr/share/elasticsearch/data
        - name: config
          mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
          subPath: elasticsearch.yml
      volumes:
        - name: config
          configMap:
            name: elasticsearch-config
  volumeClaimTemplates:
  - metadata:
      name: storage
      annotations:
        storageClassName: standard
    spec:
      accessModes: [ "ReadWriteOnce" ]
      resources:
        requests:
          storage: 110Gi

阅读 1020

收藏
2020-06-22

共1个答案

一尘不染

这个特定的docker映像期望uid可写数据目录2000。您可以通过添加.spec.securityContext.fsGroup以下内容来告诉Kubernetes吊挂Pod(某种程度上)的挂载点:

apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  name: esnode
spec:
  ...
  securityContext:
    fsGroup: 2000

(当然,您可以摆脱chown hack或initContainer)

fsGroup整数:一个特殊的补充组,适用于容器中的所有容器。某些卷类型允许Kubelet更改要由Pod拥有的该卷的所有权:1.拥有的GID将是FSGroup。2.将setgid位置1(在该卷中创建的新文件将由FSGroup拥有)3
。权限位与rw-rw ----进行或运算。如果未设置,则Kubelet不会修改任何卷的所有权和权限。

2020-06-22