-
Notifications
You must be signed in to change notification settings - Fork 441
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CHK resource fails to come up on AWS EKS due to wrong FS permissions on /var/lib/clickhouse-keeper #1370
Comments
@sunsingerus @alex-zaitsev look like latest version of clickhouse backported changes for default user look to @hodgesrm try to add templates:
podTemplates:
- name: default
spec:
securityContext:
fsGroup: 101
runAsUser: 101
containers:
- name: clickhouse-keeper
imagePullPolicy: IfNotPresent
image: "altinity/clickhouse-keeper:23.8.8.21.altinitystable" |
Planned for 0.23.4 |
@Slach your fix works and will hold me until 0.23.4 is available. Thank you both for the quick turnaround. |
@Slach , why we do not need securityContext for ClickHouse but need for ClickHouseKeeper? |
@alex-zaitsev |
any plans here? |
@orloffv |
interesting, but it can't help me. |
Security context is needed for both CHI and CHK, so behavior is consistent now. Maybe we need a separate task to add default security context to images, and also make sure it is correctly merged with a security context provided in by user explicitly |
What's wrong:
The CHK example in 02-extended-1-node.yaml fails if you use the Altinity 23.8.8.21 docker image on EKS. I thought this was an Altinity Stable Bug but it also happens with clickhouse/clickhouse-keeper:23.8.10.43-alpine.
I'm using the 0.23.3 operator installed using helm. I am using Kubernetes 1.26 on AWS EKS installed with our EKS blueprint.
How to Reproduce:
Run kubectl apply -f on this resource.
What happens:
Possible Root Cause:
It appears that the paths under /var/lib/clickhouse-keeper come up with root ownership. I confirmed this by hacking the liveness probe so that I could bring up the pod and check permissions.
Mitigations:
chown -R clickhouse:clickhouse /var/lib/clickhouse-keeper
and delete the pod to make it restart, Keeper comes up fine.**Notes: **
This also fails with clickhouse/clickhouse-keeper:23.8.10.43-alpine.
The text was updated successfully, but these errors were encountered: