[OCP4] Che deployment fails due to permission denied in Postgres
See original GitHub issueDescribe the bug
I installed a basic OCP 4 cluster on AWS. The default aws-ebs
storage is used. I tried to install Che from the OperatorHub marketplace and the install failed because Postgres entered a CrashLoopBackOff
state.
The Postgres container’s logs show the following error:
johns-mbp-3:.odo johncollier$ oc logs postgres-cc6b567f-fc9hj
mkdir: cannot create directory '/var/lib/pgsql/data/userdata': Permission denied
Che version
- latest
- nightly
- other: please specify
Steps to reproduce
- Deploy OpenShift 4 on AWS
- Make sure
aws-ebs
is used for default strorage (should be for new installs on AWS) - Install the Che operator from OperatorHub
- Create a CheCluster custom resource to install Che
- The Che deployment will fail because Postgres will report the following error:
Expected behavior
Runtime
- kubernetes (include output of
kubectl version
) - Openshift (include output of
oc version
) - minikube (include output of
minikube version
andkubectl version
) - minishift (include output of
minishift version
andoc version
) - docker-desktop + K8S (include output of
docker version
andkubectl version
) - other: (please specify)
johns-mbp-3:.odo johncollier$ oc version
oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth
Server https://<url>:6443
kubernetes v1.14.0+573d946
Screenshots
Installation method
- chectl
- che-operator 7.0.0
- minishift-addon
- I don’t know
Environment
- my computer
- Windows
- Linux
- macOS
- Cloud
- Amazon
- Azure
- GCE
- other (please specify)
- other: please specify
Additional context
Issue Analytics
- State:
- Created 4 years ago
- Comments:25 (25 by maintainers)
Top Results From Across the Web
PostgreSQL ERROR: permission denied for schema public
Public schema default permissions changed in PostgreSQL 15 - it might hurt you during application deployment. Here's what to do.
Read more >Facing permission issue when creating application using ...
When postrgres image is used with persistent storage it always fails with below errors : Raw. waiting for server to start.
Read more >Postgres fails with '/var/lib/pgsql/data/userdata': Permission ...
I'm trying to deploy Keycloak into our test cluster on DigitalOcean Kubernetes (DOKS). My manifest yaml looks like this: apiVersion: keycloak.
Read more >Kubernetes ImagePullBackOff error: what you need to know
The status ImagePullBackOff means that a Pod couldn't start, because Kubernetes couldn't pull a container image. The 'BackOff' part means that ...
Read more >chmod: changing permissions of '/var/lib/postgresql/data'
It eventually fails and just keeps retrying. When I run kubectl logs pod postgres-deployment-<id> it just says: chmod: changing permissions ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Comparing Che installed in the
che
namespace to Che installed in thedefault
namespace reveals that thesecurityContext
gets set to{}
in default, and is properly set in theche
namespace:As I’m investigating this more, it seems like
default
does not respect any of the security context constraints by default that are present in openshift… If I make a new user and give them create access to pods and deployments, and they run a pod, it will run as root/the default UID present in that imagesDockerfile
. When I run the same pod in another namespace it is runs in a security context.default
seems to have annotations regarding security contexts, but does not respect them:I’m starting to think this is just a documentation issue that we will need to point out as @l0rd and @davidfestal have suggested. I reached out on the aos-devel slack channel but haven’t had a reply yet.