GlusterFS 上的 Openshift PersistentStorage 权限被拒绝

tag-icon tag-icon docker selinux glusterfs kubernetes openshift-origin
GlusterFS 上的 Openshift PersistentStorage 权限被拒绝

我正在尝试在 GusterFS 集群上将 OpenShift 与 PersistentStorage 结合使用。

我正在启动其中一个默认模板:mysql-persistent

我已经安装了 GlusterFS 集群并创建了卷 gv_mysql_01

我已经在 openshift 中添加了 glusterfs 端点:

oc get endpoints
NAME                ENDPOINTS                                 AGE
glusterfs-cluster   10.100.134.26:24007,10.100.134.28:24007   1h

我已经在 openshift 上创建了 PersistentVolume:

cat gluster-mysql_01-storage.yaml 
apiVersion: "v1"
kind: "PersistentVolume"
metadata:
  name: "mysql" 
spec:
  capacity:
    storage: "512Mi" 
  accessModes:
    - "ReadWriteOnce"
  glusterfs: 
    endpoints: "glusterfs-cluster" 
    path: "gv_mysql_01" 
    readOnly: false
  persistentVolumeReclaimPolicy: "Recycle"

oc create -f gluster-mysql_01-storage.yaml

PersistentStorage 绑定到容器:

oc get pv
NAME      LABELS    CAPACITY   ACCESSMODES   STATUS    CLAIM        REASON    AGE
mysql     <none>    512Mi      RWO           Bound     test/mysql             53m

oc get pvc
NAME      LABELS                               STATUS    VOLUME    CAPACITY   ACCESSMODES   AGE
mysql     template=mysql-persistent-template   Bound     mysql     512Mi      RWO           1h

在集群的主机上,卷被挂载:

10.100.134.26:gv_mysql_01 on /var/lib/origin/openshift.local.volumes/pods/c111c480-8ec7-11e5-8405-0a57f8bdd6b3/volumes/kubernetes.io~glusterfs/mysql type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)

但在容器日志中:

docker logs b8cd5bb3b0be
Running mysql_install_db ...
mkdir: cannot create directory '/var/lib/mysql/data': Permission denied
chmod: cannot access '/var/lib/mysql/data/mysql': Permission denied
mkdir: cannot create directory '/var/lib/mysql/data': Permission denied
chmod: cannot access '/var/lib/mysql/data/test': Permission denied
151119 14:30:20 [Warning] Can't create test file /var/lib/mysql/data/mysql-1-q2yxh.lower-test
151119 14:30:20 [Warning] Can't create test file /var/lib/mysql/data/mysql-1-q2yxh.lower-test
/opt/rh/mysql55/root/usr/libexec/mysqld: Can't change dir to '/var/lib/mysql/data/' (Errcode: 13)
151119 14:30:20 [ERROR] Aborting

我已尝试使用容器中 mysql 用户的 uid:gid 来更改 /var/lib/origin/openshift.local.volumes/pods/c111c480-8ec7-11e5-8405-0a57f8bdd6b3/volumes/kubernetes.io~glusterfs/mysql 的所有者、组和权限,但仍然不起作用。

我是否遗漏了什么?

答案1

尝试这些 SELinux 设置

setsebool -P virt_use_fusefs 1
setsebool -P virt_sandbox_use_fusefs 1

答案2

我遇到了同样的错误,我能够通过更改默认的 scc 限制策略来使其正常工作。由于您正在运行以特定用户 (27) 身份运行的 openshift mysql 映像,因此您需要更改限制的 scc 以允许 id 运行

[root@ose1 ceph]# oc edit scc restricted

然后编辑文件(使用 vi)并将 fsGroup 值从 更改RunAsAnyMustRunAs

    fsGroup:
        type: MustRunAs

您可以看到:

[root@ose1 ceph]# oc get scc restricted
NAME         PRIV      CAPS      HOSTDIR   SELINUX     RUNASUSER        FSGROUP     SUPGROUP   PRIORITY
restricted   false     []        false     MustRunAs   MustRunAsRange   MustRunAs   RunAsAny   <none>

您还需要更改所使用的命名空间中的默认 UID 范围:

[root@ose1 ceph]# oc edit ns default  (sub your namespace for 'default')

openshift.io/sa.scc.uid-range: 25/10000

我以 25 开始为例,但这将允许 openshift mysql 映像以 27 的用户身份运行

相关内容