That's a OpenShift security feature so that your user IDs are more unique, and have less access between containers. I would suggest trying to alter your range of user IDs on your cluster if you don't want to modify the image.
On Thu, Feb 13, 2020 at 11:09 AM Fill, Natalia <[email protected]> wrote: > Public > > Hi Shawn, > First I tried modifying securityContect first and the familiar error is > appeared. I remember trying to run as user 1000 a few days ago and had > error similar to below. OpenShift has restrictions on this value. > > Error creating: pods "nifi-4-" is forbidden: unable to validate > against any security context constraint: [fsGroup: Invalid value: > []int64{1000}: 1000 is not an allowed group > spec.containers[0].securityContext.securityContext.runAsUser: Invalid > value: 1000: must be in the ranges: [1000470000, 1000479999]] > > So if Nifi has to run as user 1000 and OpenShift only allows range > [1000470000, 1000479999] then the issue is not resolvable in the current > image. > Let me know if you have other views on it. > > Thanks > > Natalia Fill > Analyst Software Developer > > -----Original Message----- > From: Fill, Natalia [mailto:[email protected]] > Sent: 13 February 2020 14:32 > To: [email protected]; Endre Kovacs > Cc: Ali, Rizwan > Subject: RE: Running Nifi on OpenShift > > Public > > Hi Shawn, > > Thank you for your message. I will add your suggested configs and try it > out today. It certainly has new content not present in my yml so hopefully > it will resolve the issue. > > Thanks > > Natalia Fill > Analyst Software Developer > > -----Original Message----- > From: Shawn Weeks [mailto:[email protected]] > Sent: 13 February 2020 14:26 > To: [email protected]; Endre Kovacs > Cc: Ali, Rizwan > Subject: Re: Running Nifi on OpenShift > > Your attachment didn't make it through but here are a couple of things to > note. First of all if you try and put the ./conf directory in a volume > you'll have to run a init container to copy the initial contents to the > volume. Kubernetes unlike Docker does not replicate from the container. > > Here is how I did that and I'm generally available on Slack if you want > quicker answers. > > initContainers: > - name: init-nifi-conf > image: apache/nifi:latest > volumeMounts: > - mountPath: "/opt/nifi/nifi-current/new-conf" > name: nifi-conf-claim > command: > - sh > - '-c' > - '\cp /opt/nifi/nifi-current/conf/* > /opt/nifi/nifi-current/new-conf/' > > The other thing you'll want to include is this to set the user and group > id to 1000 which is what the apache image container expects since your not > running as root. > > securityContext: > runAsUser: 1000 > runAsGroup: 1000 > fsGroup: 1000 > > Here is my complete yaml. > > apiVersion: v1 > kind: Service > metadata: > name: nifi-service > namespace: nifi > spec: > clusterIP: None > selector: > app: nifi > ports: > - protocol: TCP > port: 8080 > type: ClusterIP > --- > apiVersion: networking.k8s.io/v1beta1 > kind: Ingress > metadata: > name: nifi-ingress > namespace: nifi > spec: > rules: > - host: nifi.dev.example.com > http: > paths: > - backend: > serviceName: nifi-service > servicePort: 8080 > tls: > - hosts: > - nifi.dev.example.com > secretName: nifi-ssl-cert > --- > apiVersion: apps/v1 > kind: StatefulSet > metadata: > name: nifi-workload > namespace: nifi > spec: > replicas: 3 > podManagementPolicy: Parallel > updateStrategy: > type: RollingUpdate > serviceName: nifi-service > selector: > matchLabels: > app: nifi > template: > metadata: > labels: > app: nifi > spec: > nodeSelector: > node-role.nifi: "true" > securityContext: > runAsUser: 1000 > runAsGroup: 1000 > fsGroup: 1000 > initContainers: > - name: init-nifi-conf > image: apache/nifi:latest > volumeMounts: > - mountPath: "/opt/nifi/nifi-current/new-conf" > name: nifi-conf-claim > command: > - sh > - '-c' > - '\cp /opt/nifi/nifi-current/conf/* > /opt/nifi/nifi-current/new-conf/' > containers: > - image: apache/nifi:latest > imagePullPolicy: Always > name: nifi > ports: > - containerPort: 8080 > - containerPort: 10000 > volumeMounts: > - mountPath: "/opt/nifi/nifi-current/conf" > name: nifi-conf-claim > - mountPath: "/opt/nifi/nifi-current/database_repository" > name: nifi-db-claim > - mountPath: "/opt/nifi/nifi-current/flowfile_repository" > name: nifi-flow-claim > - mountPath: "/opt/nifi/nifi-current/content_repository" > name: nifi-content-claim > - mountPath: "/opt/nifi/nifi-current/provenance_repository" > name: nifi-prov-claim > - mountPath: "/opt/nifi/nifi-current/state" > name: nifi-state-claim > - mountPath: "/opt/nifi/nifi-current/logs" > name: nifi-logs-claim > env: > - name: MY_POD_NAME > valueFrom: > fieldRef: > fieldPath: metadata.name > - name: NIFI_CLUSTER_IS_NODE > value: "true" > - name: NIFI_ZK_CONNECT_STRING > value: > "zookeeper-0.zookeeper-headless.nifi:2181,zookeeper-1.zookeeper-headless.nifi:2181,zookeeper-2.zookeeper-headless.nifi:2181" > - name: NIFI_CLUSTER_NODE_PROTOCOL_PORT > value: "11443" > - name: "NIFI_ELECTION_MAX_CANDIDATES" > value: "3" > - name: "NIFI_JVM_HEAP_INIT" > value: "64g" > - name: "NIFI_JVM_HEAP_MAX" > value: "64g" > - name: "NIFI_WEB_HTTP_HOST" > value: "$(MY_POD_NAME).nifi-service" > - name: NIFI_CLUSTER_ADDRESS > value: "$(MY_POD_NAME).nifi-service" > - name: NIFI_REMOTE_INPUT_HOST > value: "$(MY_POD_NAME).nifi-service" > volumeClaimTemplates: > - metadata: > name: nifi-conf-claim > spec: > accessModes: ["ReadWriteOnce"] > resources: > requests: > storage: 10Gi > - metadata: > name: nifi-db-claim > spec: > accessModes: ["ReadWriteOnce"] > resources: > requests: > storage: 10Gi > - metadata: > name: nifi-flow-claim > spec: > accessModes: ["ReadWriteOnce"] > resources: > requests: > storage: 10Gi > - metadata: > name: nifi-content-claim > spec: > accessModes: ["ReadWriteOnce"] > resources: > requests: > storage: 10Gi > - metadata: > name: nifi-prov-claim > spec: > accessModes: ["ReadWriteOnce"] > resources: > requests: > storage: 10Gi > - metadata: > name: nifi-state-claim > spec: > accessModes: ["ReadWriteOnce"] > resources: > requests: > storage: 10Gi > - metadata: > name: nifi-logs-claim > spec: > accessModes: ["ReadWriteOnce"] > resources: > requests: > storage: 10Gi > > On 2/13/20, 3:50 AM, "Fill, Natalia" <[email protected]> wrote: > > Public > > Hi Shawn, > > We have internal Jenkins deployment process, which eventually comes > down to running yml configs on OpenShift. > I attached two yml files. One version with storage mounted and one > without. > The one with storage mounted expects nifi properties file, which I > think should come from image. So there is something wrong about this set > up. I would expect it to use default properties and don't which ones to > give it. See my point 4 in original email below. > The one without persistent storage mounted comes up with permission > error: /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied. See > original email for full story about this. > I had few goes on trying to resolve it as per my original story below. > I have read somewhere that the issue could be due to the fact that > Nifi image tries to run as root but OpenShift doesn't allow it by default. > Not sure if this is still true for the latest 1.11.1 version of docker > image. > If you can suggest what is wrong with these yml files or may be some > settings need to change on OpenShift admin side it hopefully will help to > resolve the issue. > > Thank you > > Natalia Fill > Analyst Software Developer > > -----Original Message----- > From: Shawn Weeks [mailto:[email protected]] > Sent: 12 February 2020 21:16 > To: [email protected]; Endre Kovacs > Cc: Ali, Rizwan > Subject: Re: Running Nifi on OpenShift > > I recognize that running NiFi on Kubernetes isn't quite as easy as > starting it in Docker but it's also not that hard if you've worked with > Kubernetes a bit. More than likely the issue is in your Kubernetes Yaml > that you used to deploy NiFi with. This is separate than nifi.properties > and would have been the config file you used in the command "kubectl apply > -f nifi.yaml" or are you trying to deploy with Helm? > > Thanks > Shawn > > On 2/12/20, 2:26 PM, "Fill, Natalia" <[email protected]> wrote: > > Public > > Hi Endre, > > I certainly agree with the bare metal option. The reason I have a > specific request for OpenShift is the requirement to adhere to > organisational architectural road map. > I cannot agree more that it is not a single person task. I was > working on it for few days with OpenShift administrator (on CC list) > helping me out. > Your links certainly give an impression that this task is not for > faint hearted. > > Best regards, > > Natalia > > -----Original Message----- > From: Endre Kovacs [mailto:[email protected]] > Sent: 12 February 2020 19:43 > To: [email protected] > Subject: Re: Running Nifi on OpenShift > > Hi, > > If to make NiFi work on K8S is a beast, then to make it work on > Openshift, is a category-5 Kaiju [1][2]. > > This is definitely not a few days task for a single person. > > Why not run NiFi just in docker (docker-compose)? Or on bare metal? > > Best regards, > Endre > > > [1] https://en.wikipedia.org/wiki/Kaiju > [2] https://en.wikipedia.org/wiki/Pacific_Rim_(film) > > Sent with ProtonMail Secure Email. > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Wednesday, February 12, 2020 8:14 PM, Fill, Natalia < > [email protected]> wrote: > > > Public > > > > Hi, > > I am trying to run Nifi pod on OpenShift for several days now > and unfortunately unsuccessfully. > > > > The error that I am getting persistently is replacing target > file > > /opt/nifi/nifi-current/conf/nifi.properties > > sed: couldn't open temporary file > > /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied > > > > I have tried several things to resolve the issue: > > My images are downloaded from > https://hub.docker.com/r/apache/nifi > > > > 1. First I run 1.10.0 image which resulted in error above > > > > > > > > 2. Upgraded to 1.11.1 image, the error still persist > > > > 3. Tried wrapping the above images in my own image with > following > > modifications to docker file (used various paths to chmod opt/ > > opt/nifi), still the same error > > > > FROM xxxRegistry/apache-nifi:1.11.1 > > USER root > > RUN chmod -R 777 /opt > > USER 1000 > > > > 4. Mounted volume opt/nifi, but this resulted in nifi properties > file > > not being found, so removed volume as it overwrites Nifi paths > > > > 5. Involved OpenShift administrators to create privileged > account for > > nifi and altered my yml to use that account (SUPPLEMENTAL_GROUP > is > > what all our pods run under and sn_nif was created specially to > > resolve this case) > > > > securityContext: > > supplementalGroups: > > > > - ${SUPPLEMENTAL_GROUP} > > serviceAccount: sn-nif > > serviceAccountName: sn-nif > > > > > > 6. Removed securityContext to ensure serviceAccount is > used > > > > > > > > Can someone please suggest how to resolve this issue. Otherwise > I will have to give up on Nifi as I don't have any more time on this > project to spend on Nifi config. > > > > Thank you > > > > Natalia > > > > Natalia Fill > > Analyst Software Developer > > Legal and General Investment Management One Coleman Street, > London, > > EC2R 5AA > > 020 3124 3430 > > www.lgim.com > > This e-mail (and any attachments) may contain privileged and/or > confidential information. If you are not the intended recipient please do > not disclose, copy, distribute, disseminate or take any action in reliance > on it. If you have received this message in error please reply and tell us > and then delete it. Should you wish to communicate with us by e-mail we > cannot guarantee the security of any data outside our own computer systems. > > > > Any information contained in this message may be subject to > applicable terms and conditions and must not be construed as giving > investment advice within or outside the United Kingdom or Republic of > Ireland. > > > > Telephone Conversations may be recorded for your protection and > to > > ensure quality of service > > > > Legal & General Investment Management Limited (no 2091894), LGIM > Real > > Assets (Operator) Limited (no 05522016), LGIM (International) > Limited > > (no 7716001) Legal & General Unit Trust Managers (no 1009418), > GO ETF > > Solutions LLP (OC329482) and LGIM Corporate Director Limited (no > > 7105051) are authorised and regulated by the Financial Conduct > > Authority. All are registered in England & Wales with a > registered > > office at One Coleman Street, London, EC2R 5AA > > > > Legal & General Assurance (Pensions Management) Limited (no > 1006112) is authorised by the Prudential Regulation Authority and regulated > by the Financial Conduct Authority and the Prudential Regulation Authority. > It is registered in England & Wales with a registered office at One Coleman > Street, London, EC2R 5AA. > > > > Legal & General Property Limited (no 2091897) is authorised and > regulated by the Financial Conduct Authority for insurance mediation > activities. It is registered in England & Wales with a registered office at > One Coleman Street, London, EC2R 5AA. > > > > LGIM Managers (Europe) Limited is authorised and regulated by > the Central Bank of Ireland (C173733). It is registered in the Republic of > Ireland (no 609677) with a registered office at 33/34 Sir John Rogerson's > Quay, Dublin 2, D02 XK09. > > > > Legal & General Group PLC, Registered Office One Coleman Street, > London, EC2R 5AA. > > > > Registered in England no: 1417162 > > > > **** This email has come from the internet and has been scanned > for > > all viruses and potentially offensive content by Messagelabs on > behalf > > of Legal & General **** > > > > ________________________________________________________________________ > *** This email has come from the internet and has been scanned for > all viruses and potentially offensive content by Messagelabs on behalf of > Legal & General. Please report unwanted spam email to [email protected] > *** > > Please consider the environment before printing this email. > > > ________________________________________________________________________ > **** This email has come from the internet and has been scanned > for all viruses and potentially offensive content by Messagelabs on behalf > of Legal & General **** > > > > > ________________________________________________________________________ > *** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal > & General. Please report unwanted spam email to [email protected] *** > > Please consider the environment before printing this email. > > > ________________________________________________________________________ > **** This email has come from the internet and has been scanned for > all viruses and potentially offensive content by Messagelabs on behalf of > Legal & General **** > > > > ________________________________________________________________________ > *** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal > & General. Please report unwanted spam email to [email protected] *** > > Please consider the environment before printing this email. > > ________________________________________________________________________ > **** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal > & General **** > > ________________________________________________________________________ > *** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal > & General. Please report unwanted spam email to [email protected] *** > > Please consider the environment before printing this email. > > ________________________________________________________________________ > **** This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal > & General **** >
