I'm getting the Failed to created node environment error with an elasticsearch docker image:
[unknown] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: Failed to create node environmentThe persistent volume for elasticsearch data is at /mnt/volume/elasticsearch-data.
I'm able to solve this problem by ssh into the remote machine and run chown 1000:1000 /mnt/volume/elasticsearch-data. But I don't want to do it manually. How can I solve this privilege issue using the deployment.yaml file?
I've read that using fsGroup: 1000 in securityContext should solve the problem, but it isn't working for me.
deployment.yaml:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: elasticsearch
spec:
replicas: 1
template:
metadata:
labels:
app: elasticsearch
spec:
containers:
- name: elasticsearch
image: me-name/elasticsearch:6.7
imagePullPolicy: "IfNotPresent"
ports:
- containerPort: 9200
envFrom:
- configMapRef:
name: elasticsearch-config
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: elasticsearch-volume
securityContext:
runAsUser: 1000
fsGroup: 1000
capabilities:
add:
- IPC_LOCK
- SYS_RESOURCE
volumes:
- name: elasticsearch-volume
persistentVolumeClaim:
claimName: elasticsearch-pv-claim
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "sysctl -w vm.max_map_count=262144"]storage.yaml:
kind: PersistentVolume
apiVersion: v1
metadata:
name: elasticsearch-pv-volume
labels:
type: local
app: elasticsearch
spec:
storageClassName: manual
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
hostPath:
path: "/mnt/volume/elasticsearch-data"
persistentVolumeReclaimPolicy: Delete
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: elasticsearch-pv-claim
labels:
app: elasticsearch
spec:
storageClassName: manual
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5GiThere seems to be on open bug regarding permissions hostPath volumes. To work around this issue you should create an initContainer initially setting the proper permissions:
piVersion: extensions/v1beta1
kind: Deployment
metadata:
name: elasticsearch
spec:
replicas: 1
template:
metadata:
labels:
app: elasticsearch
spec:
initContainers:
- name: set-permissions
image: registry.hub.docker.com/library/busybox:latest
command: ['sh', '-c', 'mkdir -p /usr/share/elasticsearch/data && chown 1000:1000 /usr/share/elasticsearch/data' ]
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: elasticsearch-volume
containers:
- name: elasticsearch
image: me-name/elasticsearch:6.7
imagePullPolicy: "IfNotPresent"
ports:
- containerPort: 9200
envFrom:
- configMapRef:
name: elasticsearch-config
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: elasticsearch-volume
securityContext:
runAsUser: 1000
fsGroup: 1000
capabilities:
add:
- IPC_LOCK
- SYS_RESOURCE
volumes:
- name: elasticsearch-volume
persistentVolumeClaim:
claimName: elasticsearch-pv-claim
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "sysctl -w vm.max_map_count=262144"]You are on the right track by setting the fsGroup but what you are currently doing is setting the user to 1000 and mounting the volume with access to the group 1000. What you should change is to use runAsGroup: 1000 instead of runAsUser: 1000.