MongoDb (k8s pod)由于不允许操作而失败

Question

我正在以kubernetes pod的形式运行一个mongoDB (5.0.12)实例。突然，吊舱失灵了，我需要一些帮助来理解这些日志：

{"t":{"$date":"2022-09-13T18:39:51.104+00:00"},"s":"E",  "c":"STORAGE",  "id":22435,   "ctx":"AuthorizationManager-1","msg":"WiredTiger error","attr":{"error":1,"message":"[1663094391:104664][1:0x7fc5224cc700], file:index-9--3195476868760592993.wt, WT_SESSION.open_cursor: __posix_open_file, 808: /data/db/index-9--3195476868760592993.wt: handle-open: open: Operation not permitted"}}
{"t":{"$date":"2022-09-13T18:39:51.104+00:00"},"s":"F",  "c":"STORAGE",  "id":50882,   "ctx":"AuthorizationManager-1","msg":"Failed to open WiredTiger cursor. This may be due to data corruption","attr":{"uri":"table:index-9--3195476868760592993","config":"overwrite=false","error":{"code":8,"codeName":"UnknownError","errmsg":"1: Operation not permitted"},"message":"Please read the documentation for starting MongoDB with --repair here: http://dochub.mongodb.org/core/repair"}}
{"t":{"$date":"2022-09-13T18:39:51.104+00:00"},"s":"F",  "c":"-",        "id":23091,   "ctx":"AuthorizationManager-1","msg":"Fatal assertion","attr":{"msgid":50882,"file":"src/mongo/db/storage/wiredtiger/wiredtiger_session_cache.cpp","line":109}}
{"t":{"$date":"2022-09-13T18:39:51.104+00:00"},"s":"F",  "c":"-",        "id":23092,   "ctx":"AuthorizationManager-1","msg":"\n\n***aborting after fassert() failure\n\n"}

那么为什么有operation is not permitted呢？我已经运行了mongod --repair，但是仍然会发生错误。

吊舱是这样部署的：

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mongodb
spec:
  replicas: 1
  selector:
    matchLabels:
      app: mongodb
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: mongodb
    spec:
      hostname: mongodb
      # securityContext:
      #   runAsUser: 999
      #   runAsGroup: 3000
      #   fsGroup: 2000
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: data
      containers:
        - name: mongodb
          image: mongo:5.0.12
          args: ["--auth", "--dbpath", "/data/db"]
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 27017
          volumeMounts:
            - mountPath: /data/db
              name: data
          # securityContext:
          #   allowPrivilegeEscalation: false

更新

PVC：

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: data
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi

Answer 1

您可以尝试在执行之前检查该文件的权限：

ls -l

然后，使用chmod，您可以尝试更改权限，然后尝试执行它。

或

你可以在这里参考，这可能对你有帮助：

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

Answer 2

您应该看看如何在目录上设置umask：

http://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html

这将确保使用指定的权限/所有权创建目录中的新文件。