-
Notifications
You must be signed in to change notification settings - Fork 21.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access rights to shared file #16481
Comments
Thanks for the feedback! We are currently investigating and will update you shortly. |
@gs9824 can you provide some more information around grafana? I am not familiar with this service. |
@MicahMcKittrick-MSFT , Grafana is a tool to make visualise data from different sources through dashboards. The problem with running Grafana as a docker container, is the settings are not retained when restarting the docker container. t=2018-10-09T14:20:36+0000 lvl=eror msg=“Server shutdown” logger=server reason=“Service init failed: Migration failed err: database is locked” The database is stored on the file share. On the file share it is possible to create access rights for users, but I don't see how I can specify these in the container creation command. |
@gs9824 have you looked at using a persistent disk with AKS? https://docs.microsoft.com/en-us/azure/aks/azure-disks-dynamic-pv |
@gs9824 any update on this? |
@MicahMcKittrick-MSFT , sorry not yet. I have first been trying to get the file share working by trying to execute some chmod commands during container creation. So far without luck. |
@MicahMcKittrick-MSFT As far as I understand, this would involve setting up a complete AKS cluster. I just wanted to run Grafana as a simple Azure Container Instance, without modifying anything in the container. |
@seanmck. @iainfoulds would either of you have any thoughts on this? |
@gs9824 just FYI, I am working offline to get an answer to this. Will update you once I have more information. |
@gs9824 since this is intended to be a long-running instance and seeing lots of restarts, you might just need to add a long-running command line to the Also, check this guide for additional troubleshooting options |
@gs9824 any update on this? |
Hi there Coincidentally, I have exactly the same issue for exactly the same use case (Grafana). Grafana logs the following error: Starting without pointing grafana to the mount, it will use a local folder, which works. On the Azure Portal I have then tried to write folders and files on the mount manually, which works ok. Here is a ARM template so you can reproduce the problem. Just replace some of the placeholders I added and you should be good to go.
|
@MicahMcKittrick-MSFT Sorry for not responding earlier -- good to know that I'm not the only one with the issue :). I have Grafana running on a VM in the meantime as a workaround (installed through Market place - Grafana from Grafana Labs). The restart most likely happens because grafana fails to start due to database locked as @orendin states. |
Thanks all for the extra details. I am not sure if this is information we can include in this doc but regardless, I will assign to the author to review and see if we can add any details. |
Hi there, i have the same problem to, with prometheus this time. same case scenario, i am using a prometheus image to create an ACI mounted with a file-share. what i did : Script begin
script endi added a YAML file in the share-file 'prometheus.yml' what i expectedi expected the ACI to start and read the YAML file that i created on the share-file as i mounted the /etc/prometheus on it #what realy happend what i tried to doi maneged to bash access on the file system to add the permissions my self, as you can see even with chmod as root on the file i couldn't cahnge the permissions. so may be this is why i can't get the ACI read the YAML conf file thanks for any help. |
Hi Guys, what was missing
what i didi added a share policy with the all the permisions (read-write-list) needed and it worked. hope this will help |
Original issue appears to be resolved. Adding @dkkapur for second if you have comments. Thanks. |
Has anyone solved the problem for Grafana? Unfortunately, I still get the error
I have created an "Access Policy" with all rights, but I do not know if I have to specify this somehow when mounting the volume "resources": [
{
"apiVersion": "2018-10-01",
"type": "Microsoft.ContainerInstance/containerGroups",
"location": "[parameters('location')]",
"name": "[parameters('containerName')]",
"properties": {
"containers": [
{
"name": "[parameters('containerName')]",
"properties": {
"image": "[parameters('imageName')]",
"ports": "[parameters('ports')]",
"environmentVariables": [
{
"name": "GF_PATHS_DATA",
"value": "/mnt/grafana/data"
},
{
"name": "GF_PATHS_LOGS",
"value": "/mnt/grafana/logs"
},
{
"name": "GF_DASHBOARDS_PATH",
"value": "/mnt/grafana/dashboards"
}
],
"volumeMounts": [
{
"name": "grafana-storage",
"mountPath": "/mnt/grafana",
"readOnly": false
}
],
"resources": {
"requests": {
"cpu": "[int(parameters('numberCpuCores'))]",
"memoryInGB": "[float(parameters('memory'))]"
}
}
}
}
],
"volumes": [
{
"name": "grafana-storage",
"azureFile": {
"shareName": "grafana",
"readOnly": false,
"storageAccountName": "_NAME_",
"storageAccountKey": "_ACCESS_KEY_"
}
}
],
"restartPolicy": "[parameters('restartPolicy')]",
"osType": "[parameters('osType')]",
"ipAddress": {
"type": "[parameters('ipAddressType')]",
"ports": "[parameters('ports')]",
"dnsNameLabel": "[parameters('dnsNameLabel')]"
}
},
"tags": {}
}
] |
Microsoft, please fix the fact that mounted Fileshare storage requires the container to run as root, as this goes against docker best practices. Further it eliminates a lot of containers that do not run as root, and need file storage. I think the underlying issue with Grafana is the docker image does not run as root. Fileshare seems to be mounted as root:root 777. Which is the default. When the Grafana user tries to access the mounted storage, it will fail. You can't CHOWN the mounted storage either, I have escalated the user back to ROOT and in an init.sh scipt tried to assign permissions to Grafana user. No luck. You do not have enough permissions inside an ACI container to mount any other fileshares either, cifs mount fails. Proposed solution: float the ability to specify mount options, same as in Azure AKS. |
Assigning to Deep for follow-up. Thanks! |
@dkkapur any updates? |
hey folk! any news on it? looks like assigned more than year ago but no answer |
Same happens with a standard Postgresql Docker image - if you try to make the database persistent by mounting a file share, it doesn't start. |
@MicahMcKittrick-MSFT Hey Micah, any update on this? |
@dkkapur Is there any plan to allow ACI container to mount azure file share with options like AKS as following?
|
Exactly. It uses a limited permission user called This issue is basically preventing any persistent storage binding in production because we can't rely on the health of the docker container which is exactly the reason we use Docker containers in the first place. Is there any non-elevated user enabled storage that we can attach to? |
Hi, I'm facing the same issue with a postgreSQL container on which I'd like to mount a file share on /var/lib/postgresql/data to persist a small database across multiple container versions but the database doesn't has the permission to use the monted file share. Here are the logs that are outputed on Azure Container Instance:
And then the container stops. I'm also quite new with deploying containers to azure, so if this isn't the intended way to do it I would be glad to learn something new. |
I have a similar issue where the Azure container keeps restarting when I add persistency to my Nginx docker container using Azure File shares. Snipped of the error:
Other files are created in the Azure file share but not chained.crt . This article mentions some limitations with Azure File Mounts: Symlinks, Hard links, Extended attributes, Sparse files, Named pipes. If this is the cause of this issue, please add them in the official documentation, to save us tons of time. Otherwise, please share if there are some other workarounds. I'm new to Docker and Azure File shares so I will appreciate some help. |
Thanks for your dedication to our documentation. Unfortunately, at this time we have been unable to review your issue in a timely manner and we sincerely apologize for the delayed response. Though the scope of our feedback channel here on GitHub covers specific documentation fixes, we can help redirect you to the right support channel to get an answer to your question: Microsoft Q&A. Because this issue does not relate to documentation, we are closing this issue. #please-close |
This issue should not have been closed. Obviously there is an underlying technical issue, but as it relates to the docs, the Azure Docs page you linked should be updated to reflect this limitation. Specifically, at the top of the page under "Limitations", there should be another bullet point with a description indicating that there isn't currently a way to set mount options, which also means that file permissions cannot be anything other than 777. |
I have tried this workflow on https://docs.microsoft.com/en-us/azure/container-instances/container-instances-volume-azure-files with grafana
az container create --resource-group --name --image grafana/grafana:latest --dns-name-label --ports 3000 --azure-file-volume-account-name $STORAGE_ACCOUNT --azure-file-volume-account-key $STORAGE_KEY --azure-file-volume-share-name $ACI_PERS_SHARE_NAME --azure-file-volume-mount-path /var/lib/grafana --cpu 1 --memory 1
The container keeps restarting -- probably due to grafana not able to update the files on the persistent share. How can I assure access rights are properly set on the share ? Can I connect using a policy set on the file share ?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: