error on first time deploy of chart ISPN000512 Cannot acquire lock /opt/infinispan/server/data/___global.lck about infinispan-helm-charts HOT 9 CLOSED

possibly we could expose the fsgroup workaround via a flag in the values.yaml file

from infinispan-helm-charts.

+1 to allowing this to be configurable. How about allowing a user to specify the entire container securityContext via deploy.container.securityContext?

from infinispan-helm-charts.

I happened to have the exact same problem this morning. It seems that the persistent volume needs to be updated to allow it be writable.

Setting deploy.makeDataDirWritable: true in the values of the chart should solve this.

from infinispan-helm-charts.

Thanks @rigazilla . I updated the config and the containers are starting up now without the need to set privileged on the namespace.

from infinispan-helm-charts.

This also affects our operator infinispan/infinispan-operator#392

Unfortunately we only have the workaround suggested by @rjl79. It would be great to have a better solution for this that didn't require an explicit workaround, but so far investigating this has been a low priority. Any suggestions are very welcome 🙂

from infinispan-helm-charts.

Thanks for the workaround @rjl79, although I cannot seem to get that to work.
I changed makeDataDirWritable: true in values.yaml and got Init:CreateContainerConfigError. I also tried this by modified my install command as such helm install infinispan-server . --set deploy.makeDataDirWritable=true -n token-cache and got Init:CreateContainerConfigError as well.

Error: container has runAsNonRoot and image will run as root (pod: "infinispan-server-0_token-service-cache-playground(1177de15-91ca-4ae6-97e0-92692a877e27)", container: data-chmod-pv)

Does this need to run as Root? I don't see anything in values.yaml that I can change related to this.

from infinispan-helm-charts.

another workaround could be to explicitly set the fs group on the pv. See here

from infinispan-helm-charts.

@rigazilla Sorry not quite following how that changes anything. Our situation is we are deploying to a namespace without privileged pod security. The initContainer data-chmod-pv seems like what is requiring elevated permissions and terminates when it's done. Leaving the infinispan container running as the jboss user. From what the template blocks says, the initContainer data-chmod-pv only runs when we set deploy.makeDataDirWriteable to true which is to fix the above issue error ISPN000512 Cannot acquire lock /opt/infinispan/server/data/___global.lck. Taking all this in seems to make me think we just need a way to set the perms and mount that /opt/infinispan/server/data other than using the initContainer. I added the fsGroup as in the link you provided, but it didn't change anything on our end when turning off privileged access in the namespace. I haven't had much exposure to helm charts, so maybe I'm missing something.

from infinispan-helm-charts.

@thetoolsmith , you have security issue or the solution doesn't work?

I didn't specify but you don't need the deploy.makeDataDirWriteable: true change for this; with fsGroup kubernetes should set correctly the group on the file system for you (see here)

from infinispan-helm-charts.