-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Could not create subdirectory "k8s_logs" inside of data dir "/vector-data-dir": Permission denied (os error 13) #266
Comments
Viewed from host, uid/gid seems correct: ❯ oc debug node/domstoltestocpin101
Starting pod/domstoltestocpin101-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.242.158.20
If you don't see a command prompt, try pressing enter.
sh-4.4# ls -ld /host/var/lib/vector
drwxrwxr-x. 2 3000 3000 6 Nov 7 13:43 /host/var/lib/vector |
In my case, the error message is as below.
This because of PodSpec' volumeMount error. You can check your volumeMount if readOnly add or post your pod yaml. Source Code from here |
Trying to reproduce this today with the following config (updated for latest Helm and Vector versions): role: Agent
service:
enabled: false
serviceHeadless:
enabled: false
customConfig:
data_dir: "/vector-data-dir"
sources:
k8s_logs:
type: kubernetes_logs
sinks:
opensearch:
type: elasticsearch
endpoint: https://opensearch:9200
inputs:
- k8s_logs
mode: bulk
bulk:
index: "vector-%Y.%m.%d"
compression: none
auth:
strategy: basic
user: xxxxx
password: xxxxx
tls:
verify_certificate: false
verify_hostname: false I don't see any error when running locally on
I suspect this is due to restrictions imposed by OpenShift. Could you confirm you're still seeing this issue after upgrading to latest? |
I can confirm that. When adding a SecurityContextConstraint with correct permissions, it works. Would you like me to contribute back the SecurityContextConstraint under a flag, say |
That'd be great - I don't have too much experience with OpenShift, but if that's a normal/expected resource to create in OS clusters that seems good. |
What was the fix? I tried with a custom privileged scc and for troubleshooting set runAsUser to 0 but I still get the permission errors. Edit: I had to set |
Correct. I set it in values to chart:
Then added SCC, Role and RoleBinding on the side: # vector trenger priviligert tilgang for å skrive til /var/lib/vector på node.
# Kun initContainer bruker priviligert tilgang, vector-containeren kjøres som uid/guid 3000.
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: privileged-and-hostpath
annotations:
kubernetes.io/description: |
Kopiert fra restricted. Har i tillegg allowHostDirVolumePlugin=true, volumes:hostpath
og allowPrivilegedContainer=true.
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
- secret
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: use-privileged-and-hostpath
rules:
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- use
resourceNames:
- privileged-and-hostpath
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: vector-can-use-privileged-and-hostpath
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: use-privileged-and-hostpath
subjects:
- kind: ServiceAccount
name: vector I tried using |
Hi, Try to avoid setting Configure your scc to this again and remove
Then add this in your daemonset:
and I would suggest applying this
|
Hi!
I get the error message on start:
I use the following setup:
I've tried adding an init container:
and using uid/guid/fsuid 3000 in vector:
But it still fails. Debugging the container:
Any ideas?
The text was updated successfully, but these errors were encountered: