K
Q

kubernetes mysql chown operation not permitted

1/19/2016

I am currently experimenting with Kubernetes and have installed a small cluster on ESX infra I had running here locally. I installed two slave nodes with a master node using Project Atomic with Fedora. The cluster is all installed fine and seems to be running. However I first want to get a MySQL container up and running, but no matter what I try i cannot get it to run.

apiVersion: v1
kind: Pod
metadata:
  name: mysql
  labels: 
    name: mysql
spec: 
  containers: 
    - resources:
       limits :
          cpu: 0.5
      image: mysql:5.6
      name: mysql
      env:
        - name: MYSQL_ROOT_PASSWORD
          value: myPassw0rd
      ports: 
        - containerPort: 3306
          name: mysql
      volumeMounts:
        - name: mysql-persistent-storage
          mountPath: /var/lib/mysql
  volumes:
    - name: mysql-persistent-storage
      nfs:
        server: 10.0.0.2
        path: "/export/mysql"

For the volume I already tried all kinds of solutions, I tried using persistent volume with and without claim. I tried using host volume and emptyDir, but I always end up with this error when the container starts:

chown: changing ownership of '/var/lib/mysql/': Operation not permitted

I must be doing something stupid, but no idea what to do here?

-- Renze de Vries
docker
kubernetes

Similar Questions

rolling-update is forced to delete old pod?
DNS not resolving though all keys are there in etcd?
requests.get(url) return error code 404 from kubernetes api while the response could be get via curl/GET
How do I control a kubernetes PersistentVolumeClaim to bind to a specific PersistentVolume?

2 Answers

1/20/2016

Ok it seems I can answer my own question, the problem was lying in the NFS share that was being used as the persistent volume. I had it set to 'squash_all' in the export but it needs to have a 'no_root_squash' to allow root in case of docker container to chown on the nfs bound volume.

-- Renze de Vries
Source: StackOverflow
1/31/2020

I solved this problem other way. I had an argument with system administrator regarding allowing root access to exported NFS directory on NFS client machine(s). He has valid security reasons for not setting it such reason one and reason two -read no_root_squash section.

At the end I didn't have to request no_root_squash. This is what I did to make mysql pod running without compromising security.

Step 1

Exec into pod's container runing mysql image. kubectl exec -it -n <namespace> <mysql_pod> -- bash

Step 2

Obtain uid (999) and gid (999) of mysql user. cat /etc/passwd | tail -n or id mysql. mysql username can be found in 2nd instruction specified in Dockerfile

Step 3

Change permission to the directory that holds content of /var/lib/mysql of docker container. This is more likely the directory specified in your PersistentVolume. This command is executed on host machine, not in the Pod!!!

# PerisistentVolume
...
nfs:
    path: /path/to/app/mysql/directory
    server: nfs-server

Run chown 999:999 -r /path/to/app/mysql/directory

Step 4

Finally after everything is set, deploy your MySQL Pod (deployment, replica set or whatever you are using).

-- Lukasz Dynowski
Source: StackOverflow