Uploaded image for project: 'Apache Submarine'
  1. Apache Submarine
  2. SUBMARINE-1229

Minio initContainer pod (mlflow and server) not working properly in openshift

    XMLWordPrintableJSON

Details

    Description

      Minio initContainer pod always shows that it cannot end correctly. I've seen the log in the pod and found the following errors:

      mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.

      I checked resource yaml and found that openshift add a runasuser in deployment:

      initContainers:
  - resources: {}
    terminationMessagePath: /dev/termination-log
    name: submarine-server-initcontainer
    command:
      - /bin/bash
      - '-c'
      - >-
        cnt=0; while ! /bin/bash -c 'mc config host add minio
        http://submarine-minio-service:9000 submarine_minio submarine_minio'
        2>&1; do sleep 15; ((cnt=cnt+1)); if [ $cnt -eq 80 ];then echo 'ERROR:
        wait too long for minio pod'; exit 1; fi; done; if /bin/bash -c 'mc ls
        minio/submarine' >/dev/null 2>&1; then echo 'Bucket minio/submarine
        already exists, skipping creation.'; else /bin/bash -c 'mc mb
        minio/submarine'; fi;
    securityContext:
      capabilities:
        drop:
          - KILL
          - MKNOD
          - SETGID
          - SETUID
      runAsUser: 1000790000
    imagePullPolicy: Always
    volumeMounts:
      - name: submarine-server-token-bnj4d
        readOnly: true
        mountPath: /var/run/secrets/kubernetes.io/serviceaccount
    terminationMessagePolicy: File
    image: 'minio/mc'

      Openshift will add runAsUser with a custom uid under securityContext when we didn't add RunAsAny to serviceaccount. 

      oc adm policy add-scc-to-user anyuid -z submarine-server -n submarine
oc adm policy add-scc-to-user anyuid -z default -n submarine

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #918

          Activity

            People

              chenxiang cdmikechen
              chenxiang cdmikechen
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: