在kubernetes statefulset中的弹性search数据目录上显示时,权限被拒绝
希望有人能帮我解决看起来是一个权限错误。 我正在尝试使用官方的elasticsearch docker镜像来启动一个3节点的elasticsearch集群。 当容器启动时,我得到了弹性search在/ usr / share / elasticsearch / data / nodes上的“访问被拒绝”错误,所以我尝试添加一个命令来使elasticsearch成为/ usr / share / elasticsearch / data的所有者。但是当我包含chown命令时会出现这些错误:
chown: cannot read directory '/usr/share/elasticsearch/data/lost+found': Permission denied chown: changing ownership of '/usr/share/elasticsearch/data': Operation not permitted 这是我的statefulset yaml文件:
apiVersion: apps/v1beta1 kind: StatefulSet metadata: name: esnode spec: serviceName: elasticsearch-transport replicas: 3 template: metadata: labels: app: evo-pro-cluster spec: initContainers: - name: init-sysctl image: busybox imagePullPolicy: IfNotPresent command: ["sysctl", "-w", "vm.max_map_count=262144"] securityContext: privileged: true containers: - name: elasticsearch securityContext: privileged: true capabilities: add: - IPC_LOCK - SYS_RESOURCE command: ["/bin/sh"] args: ["-c", "chown -R elasticsearch:elasticsearch /usr/share/elasticsearch/data"] image: docker.elastic.co/elasticsearch/elasticsearch:5.6.1 imagePullPolicy: Always env: - name: "ES_JAVA_OPTS" value: "-Xms6g -Xmx6g" ports: - containerPort: 9200 name: http protocol: TCP - containerPort: 9300 name: transport protocol: TCP volumeMounts: - name: storage mountPath: /usr/share/elasticsearch/data - name: config mountPath: /usr/share/elasticsearch/config/elasticsearch.yml subPath: elasticsearch.yml volumes: - name: config configMap: name: elasticsearch-config volumeClaimTemplates: - metadata: name: storage annotations: storageClassName: standard spec: accessModes: [ "ReadWriteOnce" ] resources: requests: storage: 110Gi
这个特定的docker映像期望数据目录可以被uid 2000写入。 您可以通过添加.spec.securityContext.fsGroup来告诉Kubernetes为您的容器.spec.securityContext.fsGroup (sorting)安装点:
apiVersion: apps/v1beta1 kind: StatefulSet metadata: name: esnode spec: ... securityContext: fsGroup: 2000
(当然,你可以摆脱chown hack或者initContainer)
fsGroup:integer:适用于窗格中所有容器的特殊补充组。 某些卷types允许Kubelet更改该卷拥有的所有权:1.拥有的GID将是FSGroup 2. setgid位已设置(卷中创build的新文件将由FSGroup拥有)3权限位与rw-rw进行或运算—-如果未设置,Kubelet将不会修改任何卷的所有权和权限。