[RTFACT-18609] Kubernetes persistentvolume permissions using Rook - JFrog JIRA

Details

Type: Bug
Status: Open
Priority: Blocker
Resolution: Unresolved
Affects Version/s: 6.8.3
Fix Version/s: None
Component/s: Artifact Storage, Kubernetes
Labels:
None
Environment:

Hide

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.3", GitCommit:"721bfa751924da8d1680787490c54b9179b1fed0", GitTreeState:"clean", BuildDate:"2019-02-01T20:08:12Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.2", GitCommit:"cff46ab41ff0bb44d8584413b598ad8360ec1def", GitTreeState:"clean", BuildDate:"2019-01-10T23:28:14Z", GoVersion:"go1.11.4", Compiler:"gc", Platform:"linux/amd64"}

$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-1 Ready <none> 24d v1.13.3
k8s-2 Ready <none> 24d v1.13.3
k8s-3 Ready <none> 24d v1.13.3
k8s-master-01 Ready master 24d v1.13.3

Show
$ kubectl version Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.3", GitCommit:"721bfa751924da8d1680787490c54b9179b1fed0", GitTreeState:"clean", BuildDate:"2019-02-01T20:08:12Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.2", GitCommit:"cff46ab41ff0bb44d8584413b598ad8360ec1def", GitTreeState:"clean", BuildDate:"2019-01-10T23:28:14Z", GoVersion:"go1.11.4", Compiler:"gc", Platform:"linux/amd64"} $ kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-1 Ready <none> 24d v1.13.3 k8s-2 Ready <none> 24d v1.13.3 k8s-3 Ready <none> 24d v1.13.3 k8s-master-01 Ready master 24d v1.13.3

Description

I am attempting to to follow the guide found here on getting Artifactory running on Kubernetes:

https://github.com/jfrog/artifactory-docker-examples/tree/master/kubernetes

Issue I am getting is the persistentVolume is mounted to the container with root privileges and the permissions checks fail when the artifactory container starts.

$ kubectl create -f artifactory-oss.yml
deployment.extensions/artifactory-k8s-deployment created
service/artifactory created
$ kubectl logs -f artifactory-k8s-deployment-b8b9bb5fd-klkh6
Error from server (BadRequest): container "artifactory-oss-k8s" in pod "artifactory-k8s-deployment-b8b9bb5fd-klkh6" is waiting to start: ContainerCreating
$ kubectl logs -f artifactory-k8s-deployment-b8b9bb5fd-klkh6
2019-02-26 20:08:18 [456 entrypoint-artifactory.sh] Preparing to run Artifactory in Docker
2019-02-26 20:08:18 [457 entrypoint-artifactory.sh] Running as uid=1030(artifactory) gid=1030(artifactory) groups=1030(artifactory)
2019-02-26 20:08:18 [49 entrypoint-artifactory.sh] Dockerfile for this image can found inside the container.
2019-02-26 20:08:18 [50 entrypoint-artifactory.sh] To view the Dockerfile: 'cat /docker/artifactory-oss/Dockerfile.artifactory'.
2019-02-26 20:08:18 [55 entrypoint-artifactory.sh] Checking open files and processes limits
2019-02-26 20:08:18 [58 entrypoint-artifactory.sh] Current max open files is 1048576
2019-02-26 20:08:18 [70 entrypoint-artifactory.sh] Current max open processes is unlimited
2019-02-26 20:08:18 [198 entrypoint-artifactory.sh] Setting up Artifactory data directories if missing
2019-02-26 20:08:19 [169 entrypoint-artifactory.sh] Testing directory /var/opt/jfrog/artifactory has read/write permissions for user 'artifactory' (id 1030)
/entrypoint-artifactory.sh: line 138: /var/opt/jfrog/artifactory/lost+found/test-permissions: Permission denied
2019-02-26 20:08:19 [187 entrypoint-artifactory.sh] ###########################################################
2019-02-26 20:08:19 [188 entrypoint-artifactory.sh] /var/opt/jfrog/artifactory DOES NOT have proper permissions for user 'artifactory' (id 1030)
2019-02-26 20:08:19 [189 entrypoint-artifactory.sh] Directory: /var/opt/jfrog/artifactory, permissions: 2775, owner: root, group: artifactory
2019-02-26 20:08:19 [190 entrypoint-artifactory.sh] Mounted directory must have read/write permissions for user 'artifactory' (id 1030)
2019-02-26 20:08:19 [191 entrypoint-artifactory.sh] ###########################################################
2019-02-26 20:08:19 [39 entrypoint-artifactory.sh] ERROR: Directory /var/opt/jfrog/artifactory has bad permissions for user 'artifactory' (id 1030)

I have attempted to modify the artifactory.yml file to use a securityContext to mount the drive with gid=1030 (artifactory) which isn't working

$ cat artifactory-oss.yml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: artifactory-k8s-deployment
spec:
replicas: 1
template:
metadata:
labels:
app: artifactory-oss-k8s
group: artifactory-k8s-demo
spec:
securityContext:
runAsUser: 1030
fsGroup: 1030
containers:

name: artifactory-oss-k8s
image: docker.bintray.io/jfrog/artifactory-oss:6.8.3
env:
name: DB_TYPE
value: postgresql

--~~SNIP~~--

This isn't helping/working.

I know things are working as the postgres container started up and performed the necessary changes to get the mount point permission fixed. Within the postgesql container, the process is running as postgres with permissions set correctly on mount point:

root@postgresql-k8s-deployment-68bfd894dd-hwrsb:/# ls -lah /var/lib/postgresql/
total 12K
drwxr-xr-x 1 postgres postgres 4.0K Nov 16 06:07 .
drwxr-xr-x 1 root root 4.0K Nov 16 06:06 ..
drwx------ 19 postgres root 4.0K Feb 26 17:44 data

This should be addressed so this published deployment works.

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

Andrew

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

26/Feb/19 8:58 PM

Updated:

26/Feb/19 8:58 PM