Failed to run the workspace: mkdir /plugins/sidecars: permission denied #14330
Comments
che-bot
added
the
status/need-triage
|
@amisevsk could you please take a look at this one? What could potentially cause permission denied issues?
|
ibuziuk
added
status/analyzing
|
Yeah I'm kind of at a loss here, AFAIK a folder that is What is the backing storage for the volumes? What is the mount point in the plugin broker during workspace startup? (note the broker is a short-lived pod during workspace startup, it might be hard to catch its config) Can you start up a pod that mounts this volume and try modifying the |
|
Thanks @amisevsk, could you give me a pointer on how to start the broker pod manually? Do I just look for recently stopped containers and then try and run the one that looks like the broker with a custom entrypoint? |
|
@davidwindell Without modifying Che that will be hard -- it gets deleted once it's no longer needed by Che. The way I usually debug filesystem issues on k8s/OpenShift is to start up an entirely separate pod that mounts the relevant volume. E.g. you could use: apiVersion: v1
kind: Pod
metadata:
name: pvc-test
spec:
volumes:
- name: pvc-test
persistentVolumeClaim:
claimName: claim-che-workspace
containers:
- name: pvc-test
image: centos
volumeMounts:
- mountPath: "/workspaces"
name: pvc-test
command: ["tail"]
args: ["-f", "/dev/null"]# [in che workspaces namespace]
kubectl apply -f pvc-test.yaml
kubectl exec pvc-test -i -t -- /bin/bash
[check file perms]
kubectl delete po pvc-testIf there are no problems here, we can look into debugging more directly. |
|
@amisevsk thanks for the guidance, I launched the pod and everything looks fine with permissions as far as I can tell, I was able to create the sidecars directory as the root user
Would you like access to our cluster to debug this directly? Thanks! |
|
I was able to inspect the broker pod before it stopped and there is a different in the way the broker and test pod show their mounted volumes - could this be related? Test pod: Broker pod: |
|
So, I found this #12661 (comment) and updated my config map to: That's 0 (root?) instead of the default 1724, and it looks like the workspaces are starting to run now. I've never been so happy to see a welcome screen before :) Is setting these values a known issue with vanilla k8s (which Rancher effectively is)? |
|
The same error was faced when executing Happy path tests on PR check against K8S che-theia repo: |
|
@davidwindell I'm very sorry for leaving unattended for so long -- I got caught up in some other issues. To be honest, this is behaviour I've not encountered when using Kubernetes. I suspect the issue is caused by using hostPath volumes, as the docs warn
There's probably a way to get non-root Che to work with hostPath volumes, but that beyond my knowledge of Kubernetes at the moment. Alternatively, using a different storage class may resolve the problem -- I'm not enough of a Kubernetes admin to say for sure. The general reason we're seeing this issue is that running on OpenShift requires containers to not run as root, so Che is designed with this assumption in mind by default. I didn't think, until digging into this, that there was a default configuration of k8s that only works if containers run as root, since this practice is generally advised against. |
|
@davidwindell If you are still interested in poking at this one (I understand if you're not or don't have time) could you re-try the manual broker startup with updated pvc-test.yaml: apiVersion: v1
kind: Pod
metadata:
name: pvc-test
spec:
volumes:
- name: pvc-test
persistentVolumeClaim:
claimName: claim-che-workspace
containers:
- name: pvc-test
image: centos
volumeMounts:
- mountPath: "/workspaces"
name: pvc-test
command: ["tail"]
args: ["-f", "/dev/null"]
securityContext:
runAsUser: 1724
fsGroup: 1724This is more similar to what the broker actually runs as, so it might make the issue clearer (afaik user 1724 should be able to write |
|
Thanks @amisevsk, I'm going to try and use an EBS volume and will report back in a few days. |
|
Facing the similar issue and tried: CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER: "0" It still does not work for me. |
|
Can confirm, the problem is isolated to Switching to EBS finally solves this issue for me. Thank you @amisevsk for your help with this. |
|
Hello. Does somebody know how to fix the same problem for case of docker-desktop? Of cause, It is Windows. |
Describe the bug
I am trying to get Che 7.0.0 multiuser running on K8's, deployed via Rancher using the Helm charts in the repo. I've managed to get everything running now so far as the Che dashboard appears. I am however now stuck from going any further as, when starting a workspace I get the following error:
The first thing I did was to check the physical volume, it is just a local folder path on the node at the moment for testing purposes. Here is it's contents:
So it looks like Che has been able to create the workspace's folder in the volume without any permission errors. It has also created the plugins folder:
So...I'm at a loss as to why the
plugins/sidecarscan't be create. I've tried deleting all folders and starting again but end up with the same problem.I'd really appreciate any help or pointers on this, it's stopped us moving to the new Che for quite a while now and I'm at a loss.
Thanks!
The text was updated successfully, but these errors were encountered: