traefik-helm-chart icon indicating copy to clipboard operation
traefik-helm-chart copied to clipboard

Published 20 hours ago verified publisher icon traefik

Helm chart: volume-permissions init container command is wrong on first create fails

Open nodesocket opened this issue 3 years ago • 2 comments
trafficstars

Welcome!

  • [X] Yes, I've searched similar issues on GitHub and didn't find any.
  • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What version of the Traefik's Helm Chart are you using?

traefik-10.15.0

What version of Traefik are you using?

2.6.1

What did you do?

When using the optional initContainer to fix the volume permissions bug:

initContainers:
  - name: volume-permissions
    image: busybox:1.35.0
    command: ["sh", "-c", "chmod -Rv 600 /data/*"]
    volumeMounts:
      - name: data
        mountPath: /data

See https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L47

The command should be changed to chmod -Rv 600 /data/* || true as to not fail if the directory mountPath does not exist which is the case on install. Without || true the init container breaks with:

pi@kube-master: $ kubectl logs traefik-7d8bf8b9b-7bqq2 -c volume-permissions
chmod: /data/*: No such file or directory

What did you see instead?

Failed init container on fresh install.

chmod: /data/*: No such file or directory

What is your environment & configuration?

Helm: 3.8.1 Kubernetes: 1.23.3

Additional Information

No response

nodesocket avatar Mar 30 '22 04:03 nodesocket

same here any solution now ?

chengleqi avatar Apr 29 '22 02:04 chengleqi

You could ignore errors:

initContainers:
  - name: volume-permissions
    image: busybox:1.35.0
    command: ["sh", "-c", "chmod -Rv 600 /data/* || echo oops"]
    volumeMounts:
      - name: data
        mountPath: /data

You could create/update some dummy file:

initContainers:
  - name: volume-permissions
    image: busybox:1.35.0
    command: ["sh", "-c", "date >/data/last-init ; chmod -Rv 600 /data/*"]
    volumeMounts:
      - name: data
        mountPath: /data

You could first deploy Traefik without this initContainer, and then enable this option once files were written in there.

Or you could use ext4 filesystem for your volume, in which case this /data/* would find at least some lost+found directory.

This initContainer configuration you mention isn't a default. Merely a sample. Obviously it would not suit all use cases -- and may not be necessary at all: chowning files is typically something kubernetes could do for you, attaching volumes to containers while a pod is starting up.

The question really being: what are you trying to do here? Do you need to chown anything to begin with? On each start?! If this is really the case, I would instead investigate on why those permissions needs to be changed in the first place.

faust64 avatar May 01 '22 09:05 faust64

Hello @nodesocket,

Following #164, we updated the workaround with PR #658.

Does it works for you ?

mloiseleur avatar Oct 13 '22 16:10 mloiseleur

@mloiseleur ummm I have my command as just:

  initContainers:
    - name: volume-permissions
      image: busybox:1.35.0
      command: ["sh", "-c", "chmod -Rv 600 /data/* || true"]
      volumeMounts:
        - name: data
          mountPath: /data

That seems to be working consistently for me.

nodesocket avatar Oct 13 '22 17:10 nodesocket

So I understand that your issue is fixed. Cool !

mloiseleur avatar Oct 14 '22 07:10 mloiseleur

Where does the initContainers need to be added?

fabltd avatar Oct 27 '22 08:10 fabltd

this should be in your values file. See: https://github.com/traefik/traefik-helm-chart/blob/e3d2f6e32f4d2e5ddb5c9f365d3836787a7a8218/traefik/values.yaml#L45-L54

faust64 avatar Oct 27 '22 11:10 faust64