You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/07/03 09:45:33 UTC

[GitHub] [airflow] potiuk commented on issue #16777: Official Helm chart - unable to get persistent logs using KubernetesExecutor and PV

potiuk commented on issue #16777:
URL: https://github.com/apache/airflow/issues/16777#issuecomment-873379184


   Just to add on top of what @jedcunningham  wrote. 
   
   At least by reading K8S documentation, I believe, the fsGroup setting which we use for securityContext should take care of the permissions/ownerships without the need of having custom init (unless you changed also some of the parameters of the securityContext or in case the volume you are mounting cannot have permissions changed for some reason by Kubernetes). 
   
   Kubernetes should change the group ownership and permissions of the files/folders recursively while mounting the volume:
   https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
   
   Also see here:
   https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
   
   I am not sure why it does not work for you. What you do need to make sure of is that the volume you are mounting is group-writeable - I believe, also the "change permission" possibility for the mounted volume might not be possible because the volume might not have this capability or your K8S installation is limited to be able to do that. 
   
   BTW. This goes very much in line with official image being redshift-compatible. The best way You have to make sure that runAsGroup is set to '0' (which is the default in our helm chart https://github.com/apache/airflow/blob/4c5376b1b73c3816be4cb6f62c776844f3563ecd/chart/values.yaml#L30) , and that fsGroup is set to `0` in securityContext (in our chart it is set to the same value as runAsGroup:   https://github.com/apache/airflow/blob/4c5376b1b73c3816be4cb6f62c776844f3563ecd/chart/templates/workers/worker-deployment.yaml#L95)
   
   I'd love to hear why this setting did not work in your case @dennisbakhuis 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org