附加持久卷时拒绝NiFi权限

Question

我在AWS上创建了一个NiFi集群。最初的部署运行良好。稍后，我将持久卷和持久卷声明附加到NiFi设置中。启动NiFi后，我将得到以下错误：

ERROR in ch.qos.logback.core.rolling.RollingFileAppender[USER_FILE] - openFile(/opt/nifi/nifi-current/logs/nifi-user.log,true) call failed. java.io.FileNotFoundException: /opt/nifi/nifi-current/logs/nifi-user.log (Permission denied)

由于我不是NiFi和Kubernetes方面的专家，所以我无法确定问题所在。这看起来像是NiFi上的权限问题。我使用的NiFi版本是NiFI 1.15.0。

可能的根本原因是什么？这是因为NiFi没有使用根用户，还是因为其他原因？

我在这里分享全部错误：

13:56:22,449 |-ERROR in ch.qos.logback.core.rolling.RollingFileAppender[USER_FILE] - openFile(/opt/nifi/nifi-current/logs/nifi-user.log,true) call failed. java.io.FileNotFoundException: /opt/nifi/nifi-current/logs/nifi-user.log (Permission denied)
    at java.io.FileNotFoundException: /opt/nifi/nifi-current/logs/nifi-user.log (Permission denied)
    at  at java.io.FileOutputStream.open0(Native Method)
    at  at java.io.FileOutputStream.open(FileOutputStream.java:270)
    at  at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
    at  at ch.qos.logback.core.recovery.ResilientFileOutputStream.<init>(ResilientFileOutputStream.java:26)
    at  at ch.qos.logback.core.FileAppender.openFile(FileAppender.java:204)
    at  at ch.qos.logback.core.FileAppender.start(FileAppender.java:127)
    at  at ch.qos.logback.core.rolling.RollingFileAppender.start(RollingFileAppender.java:100)
    at  at ch.qos.logback.core.joran.action.AppenderAction.end(AppenderAction.java:90)
    at  at ch.qos.logback.core.joran.spi.Interpreter.callEndAction(Interpreter.java:309)
    at  at ch.qos.logback.core.joran.spi.Interpreter.endElement(Interpreter.java:193)
    at  at ch.qos.logback.core.joran.spi.Interpreter.endElement(Interpreter.java:179)
    at  at ch.qos.logback.core.joran.spi.EventPlayer.play(EventPlayer.java:62)
    at  at ch.qos.logback.core.joran.GenericConfigurator.doConfigure(GenericConfigurator.java:165)
    at  at ch.qos.logback.core.joran.GenericConfigurator.doConfigure(GenericConfigurator.java:152)
    at  at ch.qos.logback.core.joran.GenericConfigurator.doConfigure(GenericConfigurator.java:110)
    at  at ch.qos.logback.core.joran.GenericConfigurator.doConfigure(GenericConfigurator.java:53)
    at  at ch.qos.logback.classic.util.ContextInitializer.configureByResource(ContextInitializer.java:75)
    at  at ch.qos.logback.classic.util.ContextInitializer.autoConfig(ContextInitializer.java:150)
    at  at org.slf4j.impl.StaticLoggerBinder.init(StaticLoggerBinder.java:84)
    at  at org.slf4j.impl.StaticLoggerBinder.<clinit>(StaticLoggerBinder.java:55)
    at  at org.slf4j.LoggerFactory.bind(LoggerFactory.java:150)
    at  at org.slf4j.LoggerFactory.performInitialization(LoggerFactory.java:124)
    at  at org.slf4j.LoggerFactory.getILoggerFactory(LoggerFactory.java:417)
    at  at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:362)
    at  at org.apache.nifi.bootstrap.RunNiFi.<init>(RunNiFi.java:145)
    at  at org.apache.nifi.bootstrap.RunNiFi.main(RunNiFi.java:284)

我还共享了Kubernetes清单部分，该部分描述了用于创建NiFi集群的pv和PVC：

        volumeMounts:
          - name: "data"
            mountPath: /opt/nifi/nifi-current/data
          - name: "flowfile-repository"
            mountPath: /opt/nifi/nifi-current/flowfile_repository
          - name: "content-repository"
            mountPath: /opt/nifi/nifi-current/content_repository
          - name: "provenance-repository"
            mountPath: /opt/nifi/nifi-current/provenance_repository
          - name: "logs"
            mountPath: /opt/nifi/nifi-current/logs

  volumeClaimTemplates:
    - metadata:
        name: "data"
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: "gp2"
        resources:
          requests:
            storage: 1Gi
    - metadata:
        name: "flowfile-repository"
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: "gp2"
        resources:
          requests:
            storage: 10Gi
    - metadata:
        name: "content-repository"
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: "gp2"
        resources:
          requests:
            storage: 10Gi
    - metadata:
        name: "provenance-repository"
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: "gp2"
        resources:
          requests:
            storage: 10Gi
    - metadata:
        name: "logs"
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: "gp2"
        resources:
          requests:
            storage: 5Gi

任何帮助都是非常感谢的。

Answer 1

假设您在创建pv和pvc时没有任何问题，那么尝试使用额外的initContainers部分来允许具有UID和gid1000的NiFi用户读写所提供的EBS卷：

initContainers:
- name: fixmount
  image: busybox
  command: [ 'sh', '-c', 'chown -R 1000:1000 /opt/nifi/nifi-current/logs' ]
  volumeMounts:
  - name: logs
    mountPath: /opt/nifi/nifi-current/logs

我希望这将有助于解决你们的问题。这是官方的Kubernetes文档页面Init容器。