Re: Running Nifi on OpenShift
ollingParams: intervalSeconds: 1 maxSurge: 25% maxUnavailable: 25% timeoutSeconds: 600 updatePeriodSeconds: 1 type: Rolling template: metadata: creationTimestamp: null name: ${APPLICATION_NAME} labels: name: ${APPLICATION_NAME} spec: initContainers: - name: initconf image: ${DOCKER_PARENT_REGISTRY}/${DOCKER_TEAM_NAMESPACE}/platform-nifi:latest volumeMounts: - mountPath: "/opt/nifi/nifi-current/conf" name: nificonf-mount command: - sh - '-c' - '\cp /opt/nifi/nifi-current/conf/* /opt/nifi/nifi-current/conf/' containers: - env: - name: "NIFI_JAVA_XMS" value: ${NIFI_JAVA_XMS} - name: "NIFI_JAVA_XMX" value: ${NIFI_JAVA_XMX} - name: "NIFI_TIMEZONE" value: ${NIFI_TIMEZONE} image: ${DOCKER_PARENT_REGISTRY}/${DOCKER_TEAM_NAMESPACE}/platform-nifi:latest imagePullPolicy: Always name: ${APPLICATION_NAME} ports: - name: http containerPort: 8080 protocol: TCP resources: limits: cpu: ${CPU_LIMIT} memory: ${MEMORY_LIMIT} requests: cpu: ${CPU_REQUEST} memory: ${MEMORY_REQUEST} volumeMounts: - mountPath: "/opt/nifi/nifi-current/conf" name: nificonf-mount securityContext: supplementalGroups: - ${SUPPLEMENTAL_GROUP} serviceAccount: apache-nifi serviceAccountName: apache-nifi terminationGracePeriodSeconds: 30 volumes: - name: nificonf-mount persistentVolumeClaim: claimName: nificonf-claim triggers: {} - apiVersion: v1 kind: PersistentVolumeClaim apiVersion: v1 metadata: name: nificonf-claim spec: accessModes: - ReadWriteMany resources: requests: storage: 1Gi selector: matchLabels: function: ${NAMESPACE}-nificonf Thanks Natalia Fill Analyst Software Developer -Original Message- From: Fill, Natalia Sent: 13 February 2020 16:09 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: RE: Running Nifi on OpenShift Public Hi Shawn, First I tried modifying securityContect first and the familiar error is appeared. I remember trying to run as user 1000 a few days ago and had error similar to below. OpenShift has restrictions on this value. Error creating: pods "nifi-4-" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [100047, 100047]] So if Nifi has to run as user 1000 and OpenShift only allows range [100047, 100047] then the issue is not resolvable in the current image. Let me know if you have other views on it. Thanks Natalia Fill Analyst Software Developer -Original Message- From: Fill, Natalia [mailto:natalia.f...@lgim.com] Sent: 13 February 2020 14:32 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: RE: Running Nifi on OpenShift Public Hi Shawn, Thank you for your message. I will add your suggested configs and try it out today. It certainly has new content not present in my yml so hopefully it will resolve the issue. Thanks Natalia Fill Analyst Software Developer -Original Message- From: Shawn Weeks [mailto:swe...@weeksconsulting.us] Sent: 13 February 2020 14:26 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: Re: Running Nifi on OpenShift Your attachment didn't make it through but here are a couple of things to note. First of all if you try and put the ./conf directory in a volume you'll have to run a init container to copy the initial contents to the volume. Kubernetes unlike Docker does not replicate from the container. Here is how I did that and I'm generally available on Slack if you want quicker answers. initContainers: - name: init-nifi-conf image: apache/nifi:latest volumeMounts: - mountPath: "/opt/nifi/nifi-current/new-conf" name
RE: Running Nifi on OpenShift
value: ${NIFI_JAVA_XMX} - name: "NIFI_TIMEZONE" value: ${NIFI_TIMEZONE} image: ${DOCKER_PARENT_REGISTRY}/${DOCKER_TEAM_NAMESPACE}/platform-nifi:latest imagePullPolicy: Always name: ${APPLICATION_NAME} ports: - name: http containerPort: 8080 protocol: TCP resources: limits: cpu: ${CPU_LIMIT} memory: ${MEMORY_LIMIT} requests: cpu: ${CPU_REQUEST} memory: ${MEMORY_REQUEST} volumeMounts: - mountPath: "/opt/nifi/nifi-current/conf" name: nificonf-mount securityContext: supplementalGroups: - ${SUPPLEMENTAL_GROUP} serviceAccount: apache-nifi serviceAccountName: apache-nifi terminationGracePeriodSeconds: 30 volumes: - name: nificonf-mount persistentVolumeClaim: claimName: nificonf-claim triggers: {} - apiVersion: v1 kind: PersistentVolumeClaim apiVersion: v1 metadata: name: nificonf-claim spec: accessModes: - ReadWriteMany resources: requests: storage: 1Gi selector: matchLabels: function: ${NAMESPACE}-nificonf Thanks Natalia Fill Analyst Software Developer -Original Message- From: Fill, Natalia Sent: 13 February 2020 16:09 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: RE: Running Nifi on OpenShift Public Hi Shawn, First I tried modifying securityContect first and the familiar error is appeared. I remember trying to run as user 1000 a few days ago and had error similar to below. OpenShift has restrictions on this value. Error creating: pods "nifi-4-" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [100047, 100047]] So if Nifi has to run as user 1000 and OpenShift only allows range [100047, 100047] then the issue is not resolvable in the current image. Let me know if you have other views on it. Thanks Natalia Fill Analyst Software Developer -Original Message- From: Fill, Natalia [mailto:natalia.f...@lgim.com] Sent: 13 February 2020 14:32 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: RE: Running Nifi on OpenShift Public Hi Shawn, Thank you for your message. I will add your suggested configs and try it out today. It certainly has new content not present in my yml so hopefully it will resolve the issue. Thanks Natalia Fill Analyst Software Developer -Original Message- From: Shawn Weeks [mailto:swe...@weeksconsulting.us] Sent: 13 February 2020 14:26 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: Re: Running Nifi on OpenShift Your attachment didn't make it through but here are a couple of things to note. First of all if you try and put the ./conf directory in a volume you'll have to run a init container to copy the initial contents to the volume. Kubernetes unlike Docker does not replicate from the container. Here is how I did that and I'm generally available on Slack if you want quicker answers. initContainers: - name: init-nifi-conf image: apache/nifi:latest volumeMounts: - mountPath: "/opt/nifi/nifi-current/new-conf" name: nifi-conf-claim command: - sh - '-c' - '\cp /opt/nifi/nifi-current/conf/* /opt/nifi/nifi-current/new-conf/' The other thing you'll want to include is this to set the user and group id to 1000 which is what the apache image container expects since your not running as root. securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 Here is my complete yaml. apiVersion: v1 kind: Service metadata: name: nifi-service namespace: nifi spec: clusterIP: None selector: app: nifi ports: - protocol: TCP port: 8080 type: ClusterIP --- apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: nifi-ingress namespace: nifi spec: rules: - host: nifi.dev.example.com http: paths: - backend: serviceName: nifi-service servicePort: 8080 tls: - hosts: - nifi.dev.example.com secretName: nifi-ssl-cert --- apiVersion: apps/v1 kind: StatefulSet metadata: name: nifi-workload namespace: nifi spec: replicas: 3 podManagementPolicy: Parallel updateStrategy: type: RollingUpdate serviceName: nifi-service selector: matchLabels: app: nifi template: metadata: labels: app: nifi spec: nodeSelector: node-role.nifi: "true" securityContext: runAsUser: 1000 runAsGroup: 1000
RE: Running Nifi on OpenShift
Public Thanks Jon, I will pass your suggestions to our OpenShift administrator. Hopefully there is no internal rules that will restrict us implementing it. Thank you Natalia Fill Analyst Software Developer -Original Message- From: Jon Logan [mailto:jmlo...@buffalo.edu] Sent: 13 February 2020 16:50 To: dev@nifi.apache.org Cc: Ali, Rizwan; Endre Kovacs Subject: Re: Running Nifi on OpenShift I think this describes what you would need to do. https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html On Thu, Feb 13, 2020 at 11:38 AM Jon Logan wrote: > That's a OpenShift security feature so that your user IDs are more > unique, and have less access between containers. I would suggest > trying to alter your range of user IDs on your cluster if you don't > want to modify the image. > > On Thu, Feb 13, 2020 at 11:09 AM Fill, Natalia > wrote: > >> Public >> >> Hi Shawn, >> First I tried modifying securityContect first and the familiar error >> is appeared. I remember trying to run as user 1000 a few days ago and >> had error similar to below. OpenShift has restrictions on this value. >> >> Error creating: pods "nifi-4-" is forbidden: unable to >> validate against any security context constraint: [fsGroup: Invalid value: >> []int64{1000}: 1000 is not an allowed group >> spec.containers[0].securityContext.securityContext.runAsUser: Invalid >> value: 1000: must be in the ranges: [100047, 100047]] >> >> So if Nifi has to run as user 1000 and OpenShift only allows range >> [100047, 100047] then the issue is not resolvable in the >> current image. >> Let me know if you have other views on it. >> >> Thanks >> >> Natalia Fill >> Analyst Software Developer >> >> -Original Message----- >> From: Fill, Natalia [mailto:natalia.f...@lgim.com] >> Sent: 13 February 2020 14:32 >> To: dev@nifi.apache.org; Endre Kovacs >> Cc: Ali, Rizwan >> Subject: RE: Running Nifi on OpenShift >> >> Public >> >> Hi Shawn, >> >> Thank you for your message. I will add your suggested configs and try >> it out today. It certainly has new content not present in my yml so >> hopefully it will resolve the issue. >> >> Thanks >> >> Natalia Fill >> Analyst Software Developer >> >> -Original Message- >> From: Shawn Weeks [mailto:swe...@weeksconsulting.us] >> Sent: 13 February 2020 14:26 >> To: dev@nifi.apache.org; Endre Kovacs >> Cc: Ali, Rizwan >> Subject: Re: Running Nifi on OpenShift >> >> Your attachment didn't make it through but here are a couple of >> things to note. First of all if you try and put the ./conf directory >> in a volume you'll have to run a init container to copy the initial >> contents to the volume. Kubernetes unlike Docker does not replicate from the >> container. >> >> Here is how I did that and I'm generally available on Slack if you >> want quicker answers. >> >> initContainers: >> - name: init-nifi-conf >> image: apache/nifi:latest >> volumeMounts: >> - mountPath: "/opt/nifi/nifi-current/new-conf" >> name: nifi-conf-claim >> command: >> - sh >> - '-c' >> - '\cp /opt/nifi/nifi-current/conf/* >> /opt/nifi/nifi-current/new-conf/' >> >> The other thing you'll want to include is this to set the user and >> group id to 1000 which is what the apache image container expects >> since your not running as root. >> >> securityContext: >> runAsUser: 1000 >> runAsGroup: 1000 >> fsGroup: 1000 >> >> Here is my complete yaml. >> >> apiVersion: v1 >> kind: Service >> metadata: >> name: nifi-service >> namespace: nifi >> spec: >> clusterIP: None >> selector: >> app: nifi >> ports: >> - protocol: TCP >> port: 8080 >> type: ClusterIP >> --- >> apiVersion: networking.k8s.io/v1beta1 >> kind: Ingress >> metadata: >> name: nifi-ingress >> namespace: nifi >> spec: >> rules: >> - host: nifi.dev.example.com >> http: >> paths: >> - backend: >> serviceName: nifi-service >> servicePort: 8080 >> tls: >> - hosts: >> - nifi.dev.example.com >> secretName: nifi-ssl-cert >> --- >> apiVersion: ap
Re: Running Nifi on OpenShift
I think this describes what you would need to do. https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html On Thu, Feb 13, 2020 at 11:38 AM Jon Logan wrote: > That's a OpenShift security feature so that your user IDs are more unique, > and have less access between containers. I would suggest trying to alter > your range of user IDs on your cluster if you don't want to modify the > image. > > On Thu, Feb 13, 2020 at 11:09 AM Fill, Natalia > wrote: > >> Public >> >> Hi Shawn, >> First I tried modifying securityContect first and the familiar error is >> appeared. I remember trying to run as user 1000 a few days ago and had >> error similar to below. OpenShift has restrictions on this value. >> >> Error creating: pods "nifi-4-" is forbidden: unable to validate >> against any security context constraint: [fsGroup: Invalid value: >> []int64{1000}: 1000 is not an allowed group >> spec.containers[0].securityContext.securityContext.runAsUser: Invalid >> value: 1000: must be in the ranges: [100047, 100047]] >> >> So if Nifi has to run as user 1000 and OpenShift only allows range >> [100047, 100047] then the issue is not resolvable in the current >> image. >> Let me know if you have other views on it. >> >> Thanks >> >> Natalia Fill >> Analyst Software Developer >> >> -Original Message----- >> From: Fill, Natalia [mailto:natalia.f...@lgim.com] >> Sent: 13 February 2020 14:32 >> To: dev@nifi.apache.org; Endre Kovacs >> Cc: Ali, Rizwan >> Subject: RE: Running Nifi on OpenShift >> >> Public >> >> Hi Shawn, >> >> Thank you for your message. I will add your suggested configs and try it >> out today. It certainly has new content not present in my yml so hopefully >> it will resolve the issue. >> >> Thanks >> >> Natalia Fill >> Analyst Software Developer >> >> -Original Message- >> From: Shawn Weeks [mailto:swe...@weeksconsulting.us] >> Sent: 13 February 2020 14:26 >> To: dev@nifi.apache.org; Endre Kovacs >> Cc: Ali, Rizwan >> Subject: Re: Running Nifi on OpenShift >> >> Your attachment didn't make it through but here are a couple of things to >> note. First of all if you try and put the ./conf directory in a volume >> you'll have to run a init container to copy the initial contents to the >> volume. Kubernetes unlike Docker does not replicate from the container. >> >> Here is how I did that and I'm generally available on Slack if you want >> quicker answers. >> >> initContainers: >> - name: init-nifi-conf >> image: apache/nifi:latest >> volumeMounts: >> - mountPath: "/opt/nifi/nifi-current/new-conf" >> name: nifi-conf-claim >> command: >> - sh >> - '-c' >> - '\cp /opt/nifi/nifi-current/conf/* >> /opt/nifi/nifi-current/new-conf/' >> >> The other thing you'll want to include is this to set the user and group >> id to 1000 which is what the apache image container expects since your not >> running as root. >> >> securityContext: >> runAsUser: 1000 >> runAsGroup: 1000 >> fsGroup: 1000 >> >> Here is my complete yaml. >> >> apiVersion: v1 >> kind: Service >> metadata: >> name: nifi-service >> namespace: nifi >> spec: >> clusterIP: None >> selector: >> app: nifi >> ports: >> - protocol: TCP >> port: 8080 >> type: ClusterIP >> --- >> apiVersion: networking.k8s.io/v1beta1 >> kind: Ingress >> metadata: >> name: nifi-ingress >> namespace: nifi >> spec: >> rules: >> - host: nifi.dev.example.com >> http: >> paths: >> - backend: >> serviceName: nifi-service >> servicePort: 8080 >> tls: >> - hosts: >> - nifi.dev.example.com >> secretName: nifi-ssl-cert >> --- >> apiVersion: apps/v1 >> kind: StatefulSet >> metadata: >> name: nifi-workload >> namespace: nifi >> spec: >> replicas: 3 >> podManagementPolicy: Parallel >> updateStrategy: >> type: RollingUpdate >> serviceName: nifi-service >> selector: >> matchLabels: >> app: nifi >> template: >> metadata: >> l
Re: Running Nifi on OpenShift
That's a OpenShift security feature so that your user IDs are more unique, and have less access between containers. I would suggest trying to alter your range of user IDs on your cluster if you don't want to modify the image. On Thu, Feb 13, 2020 at 11:09 AM Fill, Natalia wrote: > Public > > Hi Shawn, > First I tried modifying securityContect first and the familiar error is > appeared. I remember trying to run as user 1000 a few days ago and had > error similar to below. OpenShift has restrictions on this value. > > Error creating: pods "nifi-4-" is forbidden: unable to validate > against any security context constraint: [fsGroup: Invalid value: > []int64{1000}: 1000 is not an allowed group > spec.containers[0].securityContext.securityContext.runAsUser: Invalid > value: 1000: must be in the ranges: [100047, 100047]] > > So if Nifi has to run as user 1000 and OpenShift only allows range > [100047, 100047] then the issue is not resolvable in the current > image. > Let me know if you have other views on it. > > Thanks > > Natalia Fill > Analyst Software Developer > > -Original Message- > From: Fill, Natalia [mailto:natalia.f...@lgim.com] > Sent: 13 February 2020 14:32 > To: dev@nifi.apache.org; Endre Kovacs > Cc: Ali, Rizwan > Subject: RE: Running Nifi on OpenShift > > Public > > Hi Shawn, > > Thank you for your message. I will add your suggested configs and try it > out today. It certainly has new content not present in my yml so hopefully > it will resolve the issue. > > Thanks > > Natalia Fill > Analyst Software Developer > > -Original Message- > From: Shawn Weeks [mailto:swe...@weeksconsulting.us] > Sent: 13 February 2020 14:26 > To: dev@nifi.apache.org; Endre Kovacs > Cc: Ali, Rizwan > Subject: Re: Running Nifi on OpenShift > > Your attachment didn't make it through but here are a couple of things to > note. First of all if you try and put the ./conf directory in a volume > you'll have to run a init container to copy the initial contents to the > volume. Kubernetes unlike Docker does not replicate from the container. > > Here is how I did that and I'm generally available on Slack if you want > quicker answers. > > initContainers: > - name: init-nifi-conf > image: apache/nifi:latest > volumeMounts: > - mountPath: "/opt/nifi/nifi-current/new-conf" > name: nifi-conf-claim > command: > - sh > - '-c' > - '\cp /opt/nifi/nifi-current/conf/* > /opt/nifi/nifi-current/new-conf/' > > The other thing you'll want to include is this to set the user and group > id to 1000 which is what the apache image container expects since your not > running as root. > > securityContext: > runAsUser: 1000 > runAsGroup: 1000 > fsGroup: 1000 > > Here is my complete yaml. > > apiVersion: v1 > kind: Service > metadata: > name: nifi-service > namespace: nifi > spec: > clusterIP: None > selector: > app: nifi > ports: > - protocol: TCP > port: 8080 > type: ClusterIP > --- > apiVersion: networking.k8s.io/v1beta1 > kind: Ingress > metadata: > name: nifi-ingress > namespace: nifi > spec: > rules: > - host: nifi.dev.example.com > http: > paths: > - backend: > serviceName: nifi-service > servicePort: 8080 > tls: > - hosts: > - nifi.dev.example.com > secretName: nifi-ssl-cert > --- > apiVersion: apps/v1 > kind: StatefulSet > metadata: > name: nifi-workload > namespace: nifi > spec: > replicas: 3 > podManagementPolicy: Parallel > updateStrategy: > type: RollingUpdate > serviceName: nifi-service > selector: > matchLabels: > app: nifi > template: > metadata: > labels: > app: nifi > spec: > nodeSelector: > node-role.nifi: "true" > securityContext: > runAsUser: 1000 > runAsGroup: 1000 > fsGroup: 1000 > initContainers: > - name: init-nifi-conf > image: apache/nifi:latest > volumeMounts: > - mountPath: "/opt/nifi/nifi-current/new-conf" > name: nifi-conf-claim > command: > - sh > - '-c' > - '\cp /opt/nifi/nifi-current/conf/* > /opt/nifi/nifi-current/new-conf/' > containers: > - image: apache/nifi:latest > imagePullPolicy: Always > name: nifi > ports: >
RE: Running Nifi on OpenShift
Public Hi Shawn, First I tried modifying securityContect first and the familiar error is appeared. I remember trying to run as user 1000 a few days ago and had error similar to below. OpenShift has restrictions on this value. Error creating: pods "nifi-4-" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [100047, 100047]] So if Nifi has to run as user 1000 and OpenShift only allows range [100047, 100047] then the issue is not resolvable in the current image. Let me know if you have other views on it. Thanks Natalia Fill Analyst Software Developer -Original Message- From: Fill, Natalia [mailto:natalia.f...@lgim.com] Sent: 13 February 2020 14:32 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: RE: Running Nifi on OpenShift Public Hi Shawn, Thank you for your message. I will add your suggested configs and try it out today. It certainly has new content not present in my yml so hopefully it will resolve the issue. Thanks Natalia Fill Analyst Software Developer -Original Message- From: Shawn Weeks [mailto:swe...@weeksconsulting.us] Sent: 13 February 2020 14:26 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: Re: Running Nifi on OpenShift Your attachment didn't make it through but here are a couple of things to note. First of all if you try and put the ./conf directory in a volume you'll have to run a init container to copy the initial contents to the volume. Kubernetes unlike Docker does not replicate from the container. Here is how I did that and I'm generally available on Slack if you want quicker answers. initContainers: - name: init-nifi-conf image: apache/nifi:latest volumeMounts: - mountPath: "/opt/nifi/nifi-current/new-conf" name: nifi-conf-claim command: - sh - '-c' - '\cp /opt/nifi/nifi-current/conf/* /opt/nifi/nifi-current/new-conf/' The other thing you'll want to include is this to set the user and group id to 1000 which is what the apache image container expects since your not running as root. securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 Here is my complete yaml. apiVersion: v1 kind: Service metadata: name: nifi-service namespace: nifi spec: clusterIP: None selector: app: nifi ports: - protocol: TCP port: 8080 type: ClusterIP --- apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: nifi-ingress namespace: nifi spec: rules: - host: nifi.dev.example.com http: paths: - backend: serviceName: nifi-service servicePort: 8080 tls: - hosts: - nifi.dev.example.com secretName: nifi-ssl-cert --- apiVersion: apps/v1 kind: StatefulSet metadata: name: nifi-workload namespace: nifi spec: replicas: 3 podManagementPolicy: Parallel updateStrategy: type: RollingUpdate serviceName: nifi-service selector: matchLabels: app: nifi template: metadata: labels: app: nifi spec: nodeSelector: node-role.nifi: "true" securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 initContainers: - name: init-nifi-conf image: apache/nifi:latest volumeMounts: - mountPath: "/opt/nifi/nifi-current/new-conf" name: nifi-conf-claim command: - sh - '-c' - '\cp /opt/nifi/nifi-current/conf/* /opt/nifi/nifi-current/new-conf/' containers: - image: apache/nifi:latest imagePullPolicy: Always name: nifi ports: - containerPort: 8080 - containerPort: 1 volumeMounts: - mountPath: "/opt/nifi/nifi-current/conf" name: nifi-conf-claim - mountPath: "/opt/nifi/nifi-current/database_repository" name: nifi-db-claim - mountPath: "/opt/nifi/nifi-current/flowfile_repository" name: nifi-flow-claim - mountPath: "/opt/nifi/nifi-current/content_repository" name: nifi-content-claim - mountPath: "/opt/nifi/nifi-current/provenance_repository" name: nifi-prov-claim - mountPath: "/opt/nifi/nifi-current/state" name: nifi-state-claim - mountPath: "/opt/nifi/nifi-current/logs" name: nifi-logs-claim env: - name: MY_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name
Re: Running Nifi on OpenShift
Jadhav, see my other email. Kubernetes doesn't handle this the same way that Docker does and there are some Docker-isms that explicitly don't work on Kubernetes. Here is the documentation on Security Contexts which allows you to set what UID and GID a container runs under. https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ Here is the information about why Kubernetes doesn't copy volumes from the container on init. https://stackoverflow.com/questions/49991978/kubernetes-not-copying-data-into-mounted-volume https://github.com/kubernetes/kubernetes/issues/8426 Thanks Shawn On 2/13/20, 8:36 AM, "Vishal Jadhav (BLOOMBERG/ 731 LEX)" wrote: Hi Natalia, We use the nifi inside a docker container, and some guidelines from it would help you - (1) We have a role account user 'nifi' on the host and the exact same user is created inside the 'docker image', you need to use the same uuid/group id as it exists on the host. Also, please make sure that this 'nifi' user owns the directories on the external volumes. (2) We mount the following directories from outside to persist the state. - conf - content_repository - flowfile_repository - provenance_repository From: dev@nifi.apache.org At: 02/13/20 04:50:19To: dev@nifi.apache.org, andrewsmit...@protonmail.com Cc: rizwan@lgim.com Subject: RE: Running Nifi on OpenShift Public Hi Shawn, We have internal Jenkins deployment process, which eventually comes down to running yml configs on OpenShift. I attached two yml files. One version with storage mounted and one without. The one with storage mounted expects nifi properties file, which I think should come from image. So there is something wrong about this set up. I would expect it to use default properties and don't which ones to give it. See my point 4 in original email below. The one without persistent storage mounted comes up with permission error: /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied. See original email for full story about this. I had few goes on trying to resolve it as per my original story below. I have read somewhere that the issue could be due to the fact that Nifi image tries to run as root but OpenShift doesn't allow it by default. Not sure if this is still true for the latest 1.11.1 version of docker image. If you can suggest what is wrong with these yml files or may be some settings need to change on OpenShift admin side it hopefully will help to resolve the issue. Thank you Natalia Fill Analyst Software Developer -Original Message- From: Shawn Weeks [mailto:swe...@weeksconsulting.us] Sent: 12 February 2020 21:16 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: Re: Running Nifi on OpenShift I recognize that running NiFi on Kubernetes isn't quite as easy as starting it in Docker but it's also not that hard if you've worked with Kubernetes a bit. More than likely the issue is in your Kubernetes Yaml that you used to deploy NiFi with. This is separate than nifi.properties and would have been the config file you used in the command "kubectl apply -f nifi.yaml" or are you trying to deploy with Helm? Thanks Shawn On 2/12/20, 2:26 PM, "Fill, Natalia" wrote: Public Hi Endre, I certainly agree with the bare metal option. The reason I have a specific request for OpenShift is the requirement to adhere to organisational architectural road map. I cannot agree more that it is not a single person task. I was working on it for few days with OpenShift administrator (on CC list) helping me out. Your links certainly give an impression that this task is not for faint hearted. Best regards, Natalia -Original Message- From: Endre Kovacs [mailto:andrewsmit...@protonmail.com.INVALID] Sent: 12 February 2020 19:43 To: dev@nifi.apache.org Subject: Re: Running Nifi on OpenShift Hi, If to make NiFi work on K8S is a beast, then to make it work on Openshift, is a category-5 Kaiju [1][2]. This is definitely not a few days task for a single person. Why not run NiFi just in docker (docker-compose)? Or on bare metal? Best regards, Endre [1] https://en.wikipedia.org/wiki/Kaiju [2] https://en.wikipedia.org/wiki/Pacific_Rim_(film) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, February 12, 2020 8:14 PM, Fill, Natalia wrote: > Public
RE: Running Nifi on OpenShift
Hi Natalia, We use the nifi inside a docker container, and some guidelines from it would help you - (1) We have a role account user 'nifi' on the host and the exact same user is created inside the 'docker image', you need to use the same uuid/group id as it exists on the host. Also, please make sure that this 'nifi' user owns the directories on the external volumes. (2) We mount the following directories from outside to persist the state. - conf - content_repository - flowfile_repository - provenance_repository From: dev@nifi.apache.org At: 02/13/20 04:50:19To: dev@nifi.apache.org, andrewsmit...@protonmail.com Cc: rizwan@lgim.com Subject: RE: Running Nifi on OpenShift Public Hi Shawn, We have internal Jenkins deployment process, which eventually comes down to running yml configs on OpenShift. I attached two yml files. One version with storage mounted and one without. The one with storage mounted expects nifi properties file, which I think should come from image. So there is something wrong about this set up. I would expect it to use default properties and don't which ones to give it. See my point 4 in original email below. The one without persistent storage mounted comes up with permission error: /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied. See original email for full story about this. I had few goes on trying to resolve it as per my original story below. I have read somewhere that the issue could be due to the fact that Nifi image tries to run as root but OpenShift doesn't allow it by default. Not sure if this is still true for the latest 1.11.1 version of docker image. If you can suggest what is wrong with these yml files or may be some settings need to change on OpenShift admin side it hopefully will help to resolve the issue. Thank you Natalia Fill Analyst Software Developer -Original Message- From: Shawn Weeks [mailto:swe...@weeksconsulting.us] Sent: 12 February 2020 21:16 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: Re: Running Nifi on OpenShift I recognize that running NiFi on Kubernetes isn't quite as easy as starting it in Docker but it's also not that hard if you've worked with Kubernetes a bit. More than likely the issue is in your Kubernetes Yaml that you used to deploy NiFi with. This is separate than nifi.properties and would have been the config file you used in the command "kubectl apply -f nifi.yaml" or are you trying to deploy with Helm? Thanks Shawn On 2/12/20, 2:26 PM, "Fill, Natalia" wrote: Public Hi Endre, I certainly agree with the bare metal option. The reason I have a specific request for OpenShift is the requirement to adhere to organisational architectural road map. I cannot agree more that it is not a single person task. I was working on it for few days with OpenShift administrator (on CC list) helping me out. Your links certainly give an impression that this task is not for faint hearted. Best regards, Natalia -Original Message- From: Endre Kovacs [mailto:andrewsmit...@protonmail.com.INVALID] Sent: 12 February 2020 19:43 To: dev@nifi.apache.org Subject: Re: Running Nifi on OpenShift Hi, If to make NiFi work on K8S is a beast, then to make it work on Openshift, is a category-5 Kaiju [1][2]. This is definitely not a few days task for a single person. Why not run NiFi just in docker (docker-compose)? Or on bare metal? Best regards, Endre [1] https://en.wikipedia.org/wiki/Kaiju [2] https://en.wikipedia.org/wiki/Pacific_Rim_(film) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, February 12, 2020 8:14 PM, Fill, Natalia wrote: > Public > > Hi, > I am trying to run Nifi pod on OpenShift for several days now and unfortunately unsuccessfully. > > The error that I am getting persistently is replacing target file > /opt/nifi/nifi-current/conf/nifi.properties > sed: couldn't open temporary file > /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied > > I have tried several things to resolve the issue: > My images are downloaded from https://hub.docker.com/r/apache/nifi > > 1.First I run 1.10.0 image which resulted in error above > > > > 2. Upgraded to 1.11.1 image, the error still persist > > 3. Tried wrapping the above images in my own image with following > modifications to docker file (used various paths to chmod opt/ > opt/nifi), still the same error > > FROM xxxRegistry/apache-nifi:1.11.1 > USER root > RUN chmod -R 777 /opt > USER 1000 > > 4. Mounted volume opt/nifi, but this resulted in nifi properties file > not being found, so removed vo
RE: Running Nifi on OpenShift
Public Hi Shawn, Thank you for your message. I will add your suggested configs and try it out today. It certainly has new content not present in my yml so hopefully it will resolve the issue. Thanks Natalia Fill Analyst Software Developer -Original Message- From: Shawn Weeks [mailto:swe...@weeksconsulting.us] Sent: 13 February 2020 14:26 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: Re: Running Nifi on OpenShift Your attachment didn't make it through but here are a couple of things to note. First of all if you try and put the ./conf directory in a volume you'll have to run a init container to copy the initial contents to the volume. Kubernetes unlike Docker does not replicate from the container. Here is how I did that and I'm generally available on Slack if you want quicker answers. initContainers: - name: init-nifi-conf image: apache/nifi:latest volumeMounts: - mountPath: "/opt/nifi/nifi-current/new-conf" name: nifi-conf-claim command: - sh - '-c' - '\cp /opt/nifi/nifi-current/conf/* /opt/nifi/nifi-current/new-conf/' The other thing you'll want to include is this to set the user and group id to 1000 which is what the apache image container expects since your not running as root. securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 Here is my complete yaml. apiVersion: v1 kind: Service metadata: name: nifi-service namespace: nifi spec: clusterIP: None selector: app: nifi ports: - protocol: TCP port: 8080 type: ClusterIP --- apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: nifi-ingress namespace: nifi spec: rules: - host: nifi.dev.example.com http: paths: - backend: serviceName: nifi-service servicePort: 8080 tls: - hosts: - nifi.dev.example.com secretName: nifi-ssl-cert --- apiVersion: apps/v1 kind: StatefulSet metadata: name: nifi-workload namespace: nifi spec: replicas: 3 podManagementPolicy: Parallel updateStrategy: type: RollingUpdate serviceName: nifi-service selector: matchLabels: app: nifi template: metadata: labels: app: nifi spec: nodeSelector: node-role.nifi: "true" securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 initContainers: - name: init-nifi-conf image: apache/nifi:latest volumeMounts: - mountPath: "/opt/nifi/nifi-current/new-conf" name: nifi-conf-claim command: - sh - '-c' - '\cp /opt/nifi/nifi-current/conf/* /opt/nifi/nifi-current/new-conf/' containers: - image: apache/nifi:latest imagePullPolicy: Always name: nifi ports: - containerPort: 8080 - containerPort: 1 volumeMounts: - mountPath: "/opt/nifi/nifi-current/conf" name: nifi-conf-claim - mountPath: "/opt/nifi/nifi-current/database_repository" name: nifi-db-claim - mountPath: "/opt/nifi/nifi-current/flowfile_repository" name: nifi-flow-claim - mountPath: "/opt/nifi/nifi-current/content_repository" name: nifi-content-claim - mountPath: "/opt/nifi/nifi-current/provenance_repository" name: nifi-prov-claim - mountPath: "/opt/nifi/nifi-current/state" name: nifi-state-claim - mountPath: "/opt/nifi/nifi-current/logs" name: nifi-logs-claim env: - name: MY_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: NIFI_CLUSTER_IS_NODE value: "true" - name: NIFI_ZK_CONNECT_STRING value: "zookeeper-0.zookeeper-headless.nifi:2181,zookeeper-1.zookeeper-headless.nifi:2181,zookeeper-2.zookeeper-headless.nifi:2181" - name: NIFI_CLUSTER_NODE_PROTOCOL_PORT value: "11443" - name: "NIFI_ELECTION_MAX_CANDIDATES" value: "3" - name: "NIFI_JVM_HEAP_INIT" value: "64g" - name: "NIFI_JVM_HEAP_MAX" value: "64g" - name: "NIFI_WEB_HTTP_HOST" value: "$(MY_POD_NAME).nifi-service" - name: NIFI_CLUSTER_ADDRESS value: "$(MY_POD_NAME).nifi-service" - name: NIFI_REMOTE_INPUT_HOST value: "$(MY_POD_NAME).nifi-service" volumeClaimTemplates: - met
Re: Running Nifi on OpenShift
es: requests: storage: 10Gi - metadata: name: nifi-content-claim spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: 10Gi - metadata: name: nifi-prov-claim spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: 10Gi - metadata: name: nifi-state-claim spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: 10Gi - metadata: name: nifi-logs-claim spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: 10Gi On 2/13/20, 3:50 AM, "Fill, Natalia" wrote: Public Hi Shawn, We have internal Jenkins deployment process, which eventually comes down to running yml configs on OpenShift. I attached two yml files. One version with storage mounted and one without. The one with storage mounted expects nifi properties file, which I think should come from image. So there is something wrong about this set up. I would expect it to use default properties and don't which ones to give it. See my point 4 in original email below. The one without persistent storage mounted comes up with permission error: /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied. See original email for full story about this. I had few goes on trying to resolve it as per my original story below. I have read somewhere that the issue could be due to the fact that Nifi image tries to run as root but OpenShift doesn't allow it by default. Not sure if this is still true for the latest 1.11.1 version of docker image. If you can suggest what is wrong with these yml files or may be some settings need to change on OpenShift admin side it hopefully will help to resolve the issue. Thank you Natalia Fill Analyst Software Developer -Original Message- From: Shawn Weeks [mailto:swe...@weeksconsulting.us] Sent: 12 February 2020 21:16 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: Re: Running Nifi on OpenShift I recognize that running NiFi on Kubernetes isn't quite as easy as starting it in Docker but it's also not that hard if you've worked with Kubernetes a bit. More than likely the issue is in your Kubernetes Yaml that you used to deploy NiFi with. This is separate than nifi.properties and would have been the config file you used in the command "kubectl apply -f nifi.yaml" or are you trying to deploy with Helm? Thanks Shawn On 2/12/20, 2:26 PM, "Fill, Natalia" wrote: Public Hi Endre, I certainly agree with the bare metal option. The reason I have a specific request for OpenShift is the requirement to adhere to organisational architectural road map. I cannot agree more that it is not a single person task. I was working on it for few days with OpenShift administrator (on CC list) helping me out. Your links certainly give an impression that this task is not for faint hearted. Best regards, Natalia -Original Message- From: Endre Kovacs [mailto:andrewsmit...@protonmail.com.INVALID] Sent: 12 February 2020 19:43 To: dev@nifi.apache.org Subject: Re: Running Nifi on OpenShift Hi, If to make NiFi work on K8S is a beast, then to make it work on Openshift, is a category-5 Kaiju [1][2]. This is definitely not a few days task for a single person. Why not run NiFi just in docker (docker-compose)? Or on bare metal? Best regards, Endre [1] https://en.wikipedia.org/wiki/Kaiju [2] https://en.wikipedia.org/wiki/Pacific_Rim_(film) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, February 12, 2020 8:14 PM, Fill, Natalia wrote: > Public > > Hi, > I am trying to run Nifi pod on OpenShift for several days now and unfortunately unsuccessfully. > > The error that I am getting persistently is replacing target file > /opt/nifi/nifi-current/conf/nifi.properties > sed: couldn't open temporary file > /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied > > I have tried several things to resolve the issue: > My images are downloaded from https://hub.docker.com/r/apache/nifi > > 1.First I run 1.10.0 image which resulted in error above > > > > 2. Upgraded to 1.11.1 image, the error still persist >
RE: Running Nifi on OpenShift
Public Hi Shawn, We have internal Jenkins deployment process, which eventually comes down to running yml configs on OpenShift. I attached two yml files. One version with storage mounted and one without. The one with storage mounted expects nifi properties file, which I think should come from image. So there is something wrong about this set up. I would expect it to use default properties and don't which ones to give it. See my point 4 in original email below. The one without persistent storage mounted comes up with permission error: /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied. See original email for full story about this. I had few goes on trying to resolve it as per my original story below. I have read somewhere that the issue could be due to the fact that Nifi image tries to run as root but OpenShift doesn't allow it by default. Not sure if this is still true for the latest 1.11.1 version of docker image. If you can suggest what is wrong with these yml files or may be some settings need to change on OpenShift admin side it hopefully will help to resolve the issue. Thank you Natalia Fill Analyst Software Developer -Original Message- From: Shawn Weeks [mailto:swe...@weeksconsulting.us] Sent: 12 February 2020 21:16 To: dev@nifi.apache.org; Endre Kovacs Cc: Ali, Rizwan Subject: Re: Running Nifi on OpenShift I recognize that running NiFi on Kubernetes isn't quite as easy as starting it in Docker but it's also not that hard if you've worked with Kubernetes a bit. More than likely the issue is in your Kubernetes Yaml that you used to deploy NiFi with. This is separate than nifi.properties and would have been the config file you used in the command "kubectl apply -f nifi.yaml" or are you trying to deploy with Helm? Thanks Shawn On 2/12/20, 2:26 PM, "Fill, Natalia" wrote: Public Hi Endre, I certainly agree with the bare metal option. The reason I have a specific request for OpenShift is the requirement to adhere to organisational architectural road map. I cannot agree more that it is not a single person task. I was working on it for few days with OpenShift administrator (on CC list) helping me out. Your links certainly give an impression that this task is not for faint hearted. Best regards, Natalia -Original Message- From: Endre Kovacs [mailto:andrewsmit...@protonmail.com.INVALID] Sent: 12 February 2020 19:43 To: dev@nifi.apache.org Subject: Re: Running Nifi on OpenShift Hi, If to make NiFi work on K8S is a beast, then to make it work on Openshift, is a category-5 Kaiju [1][2]. This is definitely not a few days task for a single person. Why not run NiFi just in docker (docker-compose)? Or on bare metal? Best regards, Endre [1] https://en.wikipedia.org/wiki/Kaiju [2] https://en.wikipedia.org/wiki/Pacific_Rim_(film) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, February 12, 2020 8:14 PM, Fill, Natalia wrote: > Public > > Hi, > I am trying to run Nifi pod on OpenShift for several days now and unfortunately unsuccessfully. > > The error that I am getting persistently is replacing target file > /opt/nifi/nifi-current/conf/nifi.properties > sed: couldn't open temporary file > /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied > > I have tried several things to resolve the issue: > My images are downloaded from https://hub.docker.com/r/apache/nifi > > 1.First I run 1.10.0 image which resulted in error above > > > > 2. Upgraded to 1.11.1 image, the error still persist > > 3. Tried wrapping the above images in my own image with following > modifications to docker file (used various paths to chmod opt/ > opt/nifi), still the same error > > FROM xxxRegistry/apache-nifi:1.11.1 > USER root > RUN chmod -R 777 /opt > USER 1000 > > 4. Mounted volume opt/nifi, but this resulted in nifi properties file > not being found, so removed volume as it overwrites Nifi paths > > 5. Involved OpenShift administrators to create privileged account for > nifi and altered my yml to use that account (SUPPLEMENTAL_GROUP is > what all our pods run under and sn_nif was created specially to > resolve this case) > > securityContext: > supplementalGroups: > > - ${SUPPLEMENTAL_GROUP} > serviceAccount: sn-nif > serviceAccountName: sn-nif > > > 6.Removed securityContext to ensure serviceAccount is used > > > > Can someone please suggest how to resolve this issue. Otherwise I will have to g
Re: Running Nifi on OpenShift
I recognize that running NiFi on Kubernetes isn't quite as easy as starting it in Docker but it's also not that hard if you've worked with Kubernetes a bit. More than likely the issue is in your Kubernetes Yaml that you used to deploy NiFi with. This is separate than nifi.properties and would have been the config file you used in the command "kubectl apply -f nifi.yaml" or are you trying to deploy with Helm? Thanks Shawn On 2/12/20, 2:26 PM, "Fill, Natalia" wrote: Public Hi Endre, I certainly agree with the bare metal option. The reason I have a specific request for OpenShift is the requirement to adhere to organisational architectural road map. I cannot agree more that it is not a single person task. I was working on it for few days with OpenShift administrator (on CC list) helping me out. Your links certainly give an impression that this task is not for faint hearted. Best regards, Natalia -Original Message- From: Endre Kovacs [mailto:andrewsmit...@protonmail.com.INVALID] Sent: 12 February 2020 19:43 To: dev@nifi.apache.org Subject: Re: Running Nifi on OpenShift Hi, If to make NiFi work on K8S is a beast, then to make it work on Openshift, is a category-5 Kaiju [1][2]. This is definitely not a few days task for a single person. Why not run NiFi just in docker (docker-compose)? Or on bare metal? Best regards, Endre [1] https://en.wikipedia.org/wiki/Kaiju [2] https://en.wikipedia.org/wiki/Pacific_Rim_(film) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, February 12, 2020 8:14 PM, Fill, Natalia wrote: > Public > > Hi, > I am trying to run Nifi pod on OpenShift for several days now and unfortunately unsuccessfully. > > The error that I am getting persistently is replacing target file > /opt/nifi/nifi-current/conf/nifi.properties > sed: couldn't open temporary file > /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied > > I have tried several things to resolve the issue: > My images are downloaded from https://hub.docker.com/r/apache/nifi > > 1.First I run 1.10.0 image which resulted in error above > > > > 2. Upgraded to 1.11.1 image, the error still persist > > 3. Tried wrapping the above images in my own image with following > modifications to docker file (used various paths to chmod opt/ > opt/nifi), still the same error > > FROM xxxRegistry/apache-nifi:1.11.1 > USER root > RUN chmod -R 777 /opt > USER 1000 > > 4. Mounted volume opt/nifi, but this resulted in nifi properties file > not being found, so removed volume as it overwrites Nifi paths > > 5. Involved OpenShift administrators to create privileged account for > nifi and altered my yml to use that account (SUPPLEMENTAL_GROUP is > what all our pods run under and sn_nif was created specially to > resolve this case) > > securityContext: > supplementalGroups: > > - ${SUPPLEMENTAL_GROUP} > serviceAccount: sn-nif > serviceAccountName: sn-nif > > > 6.Removed securityContext to ensure serviceAccount is used > > > > Can someone please suggest how to resolve this issue. Otherwise I will have to give up on Nifi as I don't have any more time on this project to spend on Nifi config. > > Thank you > > Natalia > > Natalia Fill > Analyst Software Developer > Legal and General Investment Management One Coleman Street, London, > EC2R 5AA > 020 3124 3430 > www.lgim.com > This e-mail (and any attachments) may contain privileged and/or confidential information. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this message in error please reply and tell us and then delete it. Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems. > > Any information contained in this message may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or Republic of Ireland. > > Telephone Conversations may be recorded for your protection and to > ensure quality of service > > Legal & General Investment Management Limited (no 2091894), LGIM Real > Assets (Operator) Limited (no 05522016), LGIM (International) Limited > (no 7716001) Legal & General
RE: Running Nifi on OpenShift
Public Hi Endre, I certainly agree with the bare metal option. The reason I have a specific request for OpenShift is the requirement to adhere to organisational architectural road map. I cannot agree more that it is not a single person task. I was working on it for few days with OpenShift administrator (on CC list) helping me out. Your links certainly give an impression that this task is not for faint hearted. Best regards, Natalia -Original Message- From: Endre Kovacs [mailto:andrewsmit...@protonmail.com.INVALID] Sent: 12 February 2020 19:43 To: dev@nifi.apache.org Subject: Re: Running Nifi on OpenShift Hi, If to make NiFi work on K8S is a beast, then to make it work on Openshift, is a category-5 Kaiju [1][2]. This is definitely not a few days task for a single person. Why not run NiFi just in docker (docker-compose)? Or on bare metal? Best regards, Endre [1] https://en.wikipedia.org/wiki/Kaiju [2] https://en.wikipedia.org/wiki/Pacific_Rim_(film) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, February 12, 2020 8:14 PM, Fill, Natalia wrote: > Public > > Hi, > I am trying to run Nifi pod on OpenShift for several days now and > unfortunately unsuccessfully. > > The error that I am getting persistently is replacing target file > /opt/nifi/nifi-current/conf/nifi.properties > sed: couldn't open temporary file > /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied > > I have tried several things to resolve the issue: > My images are downloaded from https://hub.docker.com/r/apache/nifi > > 1.First I run 1.10.0 image which resulted in error above > > > > 2. Upgraded to 1.11.1 image, the error still persist > > 3. Tried wrapping the above images in my own image with following > modifications to docker file (used various paths to chmod opt/ > opt/nifi), still the same error > > FROM xxxRegistry/apache-nifi:1.11.1 > USER root > RUN chmod -R 777 /opt > USER 1000 > > 4. Mounted volume opt/nifi, but this resulted in nifi properties file > not being found, so removed volume as it overwrites Nifi paths > > 5. Involved OpenShift administrators to create privileged account for > nifi and altered my yml to use that account (SUPPLEMENTAL_GROUP is > what all our pods run under and sn_nif was created specially to > resolve this case) > > securityContext: > supplementalGroups: > > - ${SUPPLEMENTAL_GROUP} > serviceAccount: sn-nif > serviceAccountName: sn-nif > > > 6.Removed securityContext to ensure serviceAccount is used > > > > Can someone please suggest how to resolve this issue. Otherwise I will have > to give up on Nifi as I don't have any more time on this project to spend on > Nifi config. > > Thank you > > Natalia > > Natalia Fill > Analyst Software Developer > Legal and General Investment Management One Coleman Street, London, > EC2R 5AA > 020 3124 3430 > www.lgim.com > This e-mail (and any attachments) may contain privileged and/or confidential > information. If you are not the intended recipient please do not disclose, > copy, distribute, disseminate or take any action in reliance on it. If you > have received this message in error please reply and tell us and then delete > it. Should you wish to communicate with us by e-mail we cannot guarantee the > security of any data outside our own computer systems. > > Any information contained in this message may be subject to applicable terms > and conditions and must not be construed as giving investment advice within > or outside the United Kingdom or Republic of Ireland. > > Telephone Conversations may be recorded for your protection and to > ensure quality of service > > Legal & General Investment Management Limited (no 2091894), LGIM Real > Assets (Operator) Limited (no 05522016), LGIM (International) Limited > (no 7716001) Legal & General Unit Trust Managers (no 1009418), GO ETF > Solutions LLP (OC329482) and LGIM Corporate Director Limited (no > 7105051) are authorised and regulated by the Financial Conduct > Authority. All are registered in England & Wales with a registered > office at One Coleman Street, London, EC2R 5AA > > Legal & General Assurance (Pensions Management) Limited (no 1006112) is > authorised by the Prudential Regulation Authority and regulated by the > Financial Conduct Authority and the Prudential Regulation Authority. It is > registered in England & Wales with a registered office at One Coleman Street, > London, EC2R 5AA. > > Legal & General Property Limited (no 2091897) is authorised and regulated by > the Financial Conduct Authority for insurance mediation activities. It is > registered in England & Wales with a
RE: Running Nifi on OpenShift
Public Hi Shawn, Thank you for your reply. Yes, I did have persistent volume, as per attached scripts. I removed all volume configs now because it caused another error: /opt/nifi/nifi-current/conf/nifi.properties: No such file or directory I didn't think I need to supply nifi.properties file because I thought it should come from image by default. If I were to supply these properties, I wouldn't know what configs it needs there anyway. We have spent few days trying to resolve this now so any help would be greatly appreciated. I also copied Rizwan to this discussion as he was helping me out from linux admin perspective. Thanks Natalia Fill Analyst Software Developer -Original Message- From: Shawn Weeks [mailto:swe...@weeksconsulting.us] Sent: 12 February 2020 19:32 To: dev@nifi.apache.org Subject: Re: Running Nifi on OpenShift That error is caused by incorrect permissions on the volume but I'm not sure why. Can you share your Kubernetes Yaml file, it will make it easier to track down the difference? Also what are you using for a persistence volume? Thanks Shawn On 2/12/20, 1:14 PM, "Fill, Natalia" wrote: Public Hi, I am trying to run Nifi pod on OpenShift for several days now and unfortunately unsuccessfully. The error that I am getting persistently is replacing target file /opt/nifi/nifi-current/conf/nifi.properties sed: couldn't open temporary file /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied I have tried several things to resolve the issue: My images are downloaded from https://hub.docker.com/r/apache/nifi 1. First I run 1.10.0 image which resulted in error above 2. Upgraded to 1.11.1 image, the error still persist 3. Tried wrapping the above images in my own image with following modifications to docker file (used various paths to chmod opt/ opt/nifi), still the same error FROM xxxRegistry/apache-nifi:1.11.1 USER root RUN chmod -R 777 /opt USER 1000 4. Mounted volume opt/nifi, but this resulted in nifi properties file not being found, so removed volume as it overwrites Nifi paths 5. Involved OpenShift administrators to create privileged account for nifi and altered my yml to use that account (SUPPLEMENTAL_GROUP is what all our pods run under and sn_nif was created specially to resolve this case) securityContext: supplementalGroups: - ${SUPPLEMENTAL_GROUP} serviceAccount: sn-nif serviceAccountName: sn-nif 6. Removed securityContext to ensure serviceAccount is used Can someone please suggest how to resolve this issue. Otherwise I will have to give up on Nifi as I don't have any more time on this project to spend on Nifi config. Thank you Natalia Natalia Fill Analyst Software Developer Legal and General Investment Management One Coleman Street, London, EC2R 5AA 020 3124 3430 www.lgim.com This e-mail (and any attachments) may contain privileged and/or confidential information. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this message in error please reply and tell us and then delete it. Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems. Any information contained in this message may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or Republic of Ireland. Telephone Conversations may be recorded for your protection and to ensure quality of service Legal & General Investment Management Limited (no 2091894), LGIM Real Assets (Operator) Limited (no 05522016), LGIM (International) Limited (no 7716001) Legal & General Unit Trust Managers (no 1009418), GO ETF Solutions LLP (OC329482) and LGIM Corporate Director Limited (no 7105051) are authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA Legal & General Assurance (Pensions Management) Limited (no 1006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA. Legal & General Property Limited (no 2091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA. LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (C173
Re: Running Nifi on OpenShift
Hi, If to make NiFi work on K8S is a beast, then to make it work on Openshift, is a category-5 Kaiju [1][2]. This is definitely not a few days task for a single person. Why not run NiFi just in docker (docker-compose)? Or on bare metal? Best regards, Endre [1] https://en.wikipedia.org/wiki/Kaiju [2] https://en.wikipedia.org/wiki/Pacific_Rim_(film) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, February 12, 2020 8:14 PM, Fill, Natalia wrote: > Public > > Hi, > I am trying to run Nifi pod on OpenShift for several days now and > unfortunately unsuccessfully. > > The error that I am getting persistently is > replacing target file /opt/nifi/nifi-current/conf/nifi.properties > sed: couldn't open temporary file /opt/nifi/nifi-current/conf/sedXGg2lo: > Permission denied > > I have tried several things to resolve the issue: > My images are downloaded from https://hub.docker.com/r/apache/nifi > > 1.First I run 1.10.0 image which resulted in error above > > > > 2. Upgraded to 1.11.1 image, the error still persist > > 3. Tried wrapping the above images in my own image with following > modifications to docker file (used various paths to chmod opt/ opt/nifi), > still the same error > > FROM xxxRegistry/apache-nifi:1.11.1 > USER root > RUN chmod -R 777 /opt > USER 1000 > > 4. Mounted volume opt/nifi, but this resulted in nifi properties file not > being found, so removed volume as it overwrites Nifi paths > > 5. Involved OpenShift administrators to create privileged account for nifi > and altered my yml to use that account (SUPPLEMENTAL_GROUP is what all our > pods run under and sn_nif was created specially to resolve this case) > > securityContext: > supplementalGroups: > > - ${SUPPLEMENTAL_GROUP} > serviceAccount: sn-nif > serviceAccountName: sn-nif > > > 6.Removed securityContext to ensure serviceAccount is used > > > > Can someone please suggest how to resolve this issue. Otherwise I will have > to give up on Nifi as I don't have any more time on this project to spend on > Nifi config. > > Thank you > > Natalia > > Natalia Fill > Analyst Software Developer > Legal and General Investment Management > One Coleman Street, London, EC2R 5AA > 020 3124 3430 > www.lgim.com > This e-mail (and any attachments) may contain privileged and/or confidential > information. If you are not the intended recipient please do not disclose, > copy, distribute, disseminate or take any action in reliance on it. If you > have received this message in error please reply and tell us and then delete > it. Should you wish to communicate with us by e-mail we cannot guarantee the > security of any data outside our own computer systems. > > Any information contained in this message may be subject to applicable terms > and conditions and must not be construed as giving investment advice within > or outside the United Kingdom or Republic of Ireland. > > Telephone Conversations may be recorded for your protection and to ensure > quality of service > > Legal & General Investment Management Limited (no 2091894), LGIM Real Assets > (Operator) Limited (no 05522016), LGIM (International) Limited (no 7716001) > Legal & General Unit Trust Managers (no 1009418), GO ETF Solutions LLP > (OC329482) and LGIM Corporate Director Limited (no 7105051) are authorised > and regulated by the Financial Conduct Authority. All are registered in > England & Wales with a registered office at One Coleman Street, London, EC2R > 5AA > > Legal & General Assurance (Pensions Management) Limited (no 1006112) is > authorised by the Prudential Regulation Authority and regulated by the > Financial Conduct Authority and the Prudential Regulation Authority. It is > registered in England & Wales with a registered office at One Coleman Street, > London, EC2R 5AA. > > Legal & General Property Limited (no 2091897) is authorised and regulated by > the Financial Conduct Authority for insurance mediation activities. It is > registered in England & Wales with a registered office at One Coleman Street, > London, EC2R 5AA. > > LGIM Managers (Europe) Limited is authorised and regulated by the Central > Bank of Ireland (C173733). It is registered in the Republic of Ireland (no > 609677) with a registered office at 33/34 Sir John Rogerson's Quay, Dublin 2, > D02 XK09. > > Legal & General Group PLC, Registered Office One Coleman Street, London, EC2R > 5AA. > > Registered in England no: 1417162 > > This email has come from the internet and has been scanned for all > viruses and potentially offensive content by Messagelabs on behalf of Legal & > General
Re: Running Nifi on OpenShift
That error is caused by incorrect permissions on the volume but I'm not sure why. Can you share your Kubernetes Yaml file, it will make it easier to track down the difference? Also what are you using for a persistence volume? Thanks Shawn On 2/12/20, 1:14 PM, "Fill, Natalia" wrote: Public Hi, I am trying to run Nifi pod on OpenShift for several days now and unfortunately unsuccessfully. The error that I am getting persistently is replacing target file /opt/nifi/nifi-current/conf/nifi.properties sed: couldn't open temporary file /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied I have tried several things to resolve the issue: My images are downloaded from https://hub.docker.com/r/apache/nifi 1. First I run 1.10.0 image which resulted in error above 2. Upgraded to 1.11.1 image, the error still persist 3. Tried wrapping the above images in my own image with following modifications to docker file (used various paths to chmod opt/ opt/nifi), still the same error FROM xxxRegistry/apache-nifi:1.11.1 USER root RUN chmod -R 777 /opt USER 1000 4. Mounted volume opt/nifi, but this resulted in nifi properties file not being found, so removed volume as it overwrites Nifi paths 5. Involved OpenShift administrators to create privileged account for nifi and altered my yml to use that account (SUPPLEMENTAL_GROUP is what all our pods run under and sn_nif was created specially to resolve this case) securityContext: supplementalGroups: - ${SUPPLEMENTAL_GROUP} serviceAccount: sn-nif serviceAccountName: sn-nif 6. Removed securityContext to ensure serviceAccount is used Can someone please suggest how to resolve this issue. Otherwise I will have to give up on Nifi as I don't have any more time on this project to spend on Nifi config. Thank you Natalia Natalia Fill Analyst Software Developer Legal and General Investment Management One Coleman Street, London, EC2R 5AA 020 3124 3430 www.lgim.com This e-mail (and any attachments) may contain privileged and/or confidential information. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this message in error please reply and tell us and then delete it. Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems. Any information contained in this message may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or Republic of Ireland. Telephone Conversations may be recorded for your protection and to ensure quality of service Legal & General Investment Management Limited (no 2091894), LGIM Real Assets (Operator) Limited (no 05522016), LGIM (International) Limited (no 7716001) Legal & General Unit Trust Managers (no 1009418), GO ETF Solutions LLP (OC329482) and LGIM Corporate Director Limited (no 7105051) are authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA Legal & General Assurance (Pensions Management) Limited (no 1006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA. Legal & General Property Limited (no 2091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA. LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (C173733). It is registered in the Republic of Ireland (no 609677) with a registered office at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09. Legal & General Group PLC, Registered Office One Coleman Street, London, EC2R 5AA. Registered in England no: 1417162 This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General