如何给 grafana 用户适当的权限,以便它可以成功启动?

【问题标题】:How can I give grafana user appropriate permission so that it can start successfully?如何给 grafana 用户适当的权限,以便它可以成功启动?
【发布时间】:2020-03-17 17:11:54
【问题描述】:

环境:

kubernetes provider: gke
kubernetes version: v1.13.12-gke.25
grafana version: 6.6.2 (official image)

grafana 部署清单:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
  namespace: monitoring
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      name: grafana
      labels:
        app: grafana
    spec:
      containers:
      - name: grafana
        image: grafana/grafana:6.6.2
        ports:
        - name: grafana
          containerPort: 3000
        # securityContext:
        #     runAsUser: 104
        #     allowPrivilegeEscalation: true
        resources:
          limits:
            memory: "1Gi"
            cpu: "500m"
          requests: 
            memory: "500Mi"
            cpu: "100m"
        volumeMounts:
          - mountPath: /var/lib/grafana
            name: grafana-storage
      volumes:
        - name: grafana-storage
          persistentVolumeClaim:
              claimName: grafana-pvc

问题

当我第一次部署这个 grafana 仪表板时,它工作正常。一段时间后,我重新启动了 pod 以检查卷挂载是否正常工作。重新启动后,我得到以下错误。

mkdir: can't create directory '/var/lib/grafana/plugins': Permission denied
GF_PATHS_DATA='/var/lib/grafana' is not writable.
You may have issues with file permissions, more information here: http://docs.grafana.org/installation/docker/#migration-from-a-previous-version-of-the-docker-container-to-5-1-or-later

我从这个错误中了解到,用户可以创建这些文件。我怎样才能给这个用户适当的权限来成功启动 grafana?

【问题讨论】:

    标签: kubernetes grafana


    【解决方案1】:

    我使用适当的 PVC 重新创建了您的部署,并注意到 grafana pod 失败了。

    命令输出:$ kubectl get pods -n monitoring

    NAME READY STATUS RESTARTS AGE
grafana-6466cd95b5-4g95f 0/1 Error  2  65s

    进一步调查指出了与您相同的错误:

    mkdir: can't create directory '/var/lib/grafana/plugins': Permission denied
GF_PATHS_DATA='/var/lib/grafana' is not writable.
You may have issues with file permissions, more information here: http://docs.grafana.org/installation/docker/#migration-from-a-previous-version-of-the-docker-container-to-5-1-or-later

    此错误在首次创建 pod 和部署时显示。无需重新创建任何 pod。

    我所做的是编辑您的部署:

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
  namespace: monitoring
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      name: grafana
      labels:
        app: grafana
    spec:
      securityContext:
          runAsUser: 472
          fsGroup: 472
      containers:
      - name: grafana
        image: grafana/grafana:6.6.2
        ports:
        - name: grafana
          containerPort: 3000
        resources:
          limits:
            memory: "1Gi"
            cpu: "500m"
          requests:
            memory: "500Mi"
            cpu: "100m"
        volumeMounts:
          - mountPath: /var/lib/grafana
            name: grafana-storage
      volumes:
        - name: grafana-storage
          persistentVolumeClaim:
              claimName: grafana-pvc

    请具体看一下部分:

          securityContext:
          runAsUser: 472
          fsGroup: 472

    这是官方文档中描述的设置:Kubernetes.io: set the security context for a pod

    请查看与您的问题类似的 Github 问题,并向我指出允许 pod 正确生成的解决方案:

    从 5.1 版开始,Grafana 进行了一些重大更新。请看:Grafana.com: Docs: Migrate to v5.1 or later

    如果这有帮助,请告诉我。

    【讨论】:

    • 这个答案有很大帮助,但对我来说不太管用。我还必须将runAsUser: 0 添加到securityContext 参数中才能开始。谢谢
    猜你喜欢
    • 2011-09-10
    • 2011-03-20
    • 2013-05-09
    • 2018-01-26
    • 2021-03-30
    • 2016-03-20
    • 1970-01-01
    • 2014-04-14
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode