主页 / server / 问题 / 1171362
Accepted
Nilcouv
Asked: 2025-01-21 16:34:55 +0800 CST

WikiJS “EACCES:权限被拒绝,mkdir '/wiki/data/cache'”尽管卷已挂载

  • 772

问题: 我在 Kubernetes (GKE) 上运行 WikiJS 并遇到权限问题。应用程序无法创建缓存目录,抛出:“EACCES:权限被拒绝,mkdir '/wiki/data/cache'”

环境:

  • Kubernetes:GKE
  • WikiJS 版本:2.5
  • 体积:PVC

当前配置:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-wikijs
  namespace: test
  labels:
    app: test-wikijs
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-wikijs
  template:
    metadata:
      labels:
        app: test-wikijs
    spec:
      containers:
      - name: test-wikijs
        image: requarks/wiki:2.5
        ports:
        - containerPort: 3000
        env:
          - name: DB_TYPE
            valueFrom:
              configMapKeyRef:
                name: test-wikjs-config
                key: DB_TYPE
          - name: DB_HOST
            valueFrom:
              configMapKeyRef:
                name: test-wikjs-config
                key: DB_HOST
          - name: DB_PORT
            valueFrom:
              configMapKeyRef:
                name: test-wikjs-config
                key: DB_PORT
          - name: DB_NAME
            valueFrom:
              secretKeyRef:
                name: sql-secret
                key: POSTGRES_DB
          - name: DB_USER
            valueFrom:
              secretKeyRef:
                name: sql-secret
                key: POSTGRES_USER
          - name: DB_PASS
            valueFrom:
              secretKeyRef:
                name: sql-secret
                key: POSTGRES_PASSWORD
        volumeMounts:
        - name: wikijs-data
          mountPath: /wiki/data
      volumes:
      - name: wikijs-data
        persistentVolumeClaim:
          claimName: wikijs-data-pvc
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: wikijs-data-pvc
  namespace: test
  labels:
    app: test-wikijs
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: standard
  resources:
    requests:
      storage: 50Gi

控制台返回

# PVC detail list
kubectl get pvc -n $env:NAMESPACE -o wide

# PVC description
kubectl describe pvc wikijs-data-pvc -n $env:NAMESPACE
NAME                STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE     VOLUMEMODE
postgres-data-pvc   Bound    pvc-9906e095-5341-451f-a2ff-ffbd8d8991e3   20Gi       RWO            standard       <unset>                 3h29m   Filesystem
wikijs-data-pvc     Bound    pvc-30553c23-75aa-429e-9464-7a567103b320   50Gi       RWO            standard       <unset>                 3h29m   Filesystem
Name:          wikijs-data-pvc
Namespace:     test
StorageClass:  standard
Status:        Bound
Volume:        pvc-30553c23-75aa-429e-9464-7a567103b320
Labels:        app=test-wikijs
Annotations:   pv.kubernetes.io/bind-completed: yes
               pv.kubernetes.io/bound-by-controller: yes
               volume.beta.kubernetes.io/storage-provisioner: pd.csi.storage.gke.io
               volume.kubernetes.io/storage-provisioner: pd.csi.storage.gke.io
Finalizers:    [kubernetes.io/pvc-protection]
Capacity:      50Gi
Access Modes:  RWO
VolumeMode:    Filesystem
Used By:       test-wikijs-5458d966c9-h97w8
Events:        <none>

# detail PV list
kubectl get pv -o wide

# Description d'un PV spécifique
kubectl describe pv wikijs-data-pv
NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS     CLAIM                                      STORAGECLASS   VOLUMEATTRIBUTESCLASS   REASON   AGE     VOLUMEMODE
pvc-30553c23-75aa-429e-9464-7a567103b320   50Gi       RWO            Delete           Bound      test/wikijs-data-pvc              standard       <unset>                          3h32m   Filesystem
pvc-9906e095-5341-451f-a2ff-ffbd8d8991e3   20Gi       RWO            Delete           Bound      test/postgres-data-pvc            standard       <unset>                          3h32m   Filesystem

kubectl describe pv pvc-30553c23-75aa-429e-9464-7a567103b320
Name:              pvc-30553c23-75aa-429e-9464-7a567103b320
Labels:            topology.kubernetes.io/region=europe-west1
                   topology.kubernetes.io/zone=europe-west1-b
Annotations:       pv.kubernetes.io/migrated-to: pd.csi.storage.gke.io
                   pv.kubernetes.io/provisioned-by: kubernetes.io/gce-pd
                   volume.kubernetes.io/provisioner-deletion-secret-name:
                   volume.kubernetes.io/provisioner-deletion-secret-namespace:
Finalizers:        [kubernetes.io/pv-protection external-attacher/pd-csi-storage-gke-io]
StorageClass:      standard
Status:            Bound
Claim:             test/wikijs-data-pvc
Reclaim Policy:    Delete
Access Modes:      RWO
VolumeMode:        Filesystem
Capacity:          50Gi
Node Affinity:
  Required Terms:
    Term 0:        topology.kubernetes.io/zone in [europe-west1-b]
                   topology.kubernetes.io/region in [europe-west1]
Message:
Source:
    Type:       GCEPersistentDisk (a Persistent Disk resource in Google Compute Engine)
    PDName:     pvc-30553c23-75aa-429e-9464-7a567103b320
    FSType:     ext4
    Partition:  0
    ReadOnly:   false
Events:         <none>

kubectl exec -it $env:POD_NAME -n $env:NAMESPACE -- ls -la /wiki/data
total 28
drwxr-xr-x    4 root     root          4096 Jan 20 13:19 .
drwxr-xr-x    1 node     node          4096 Oct 12 09:00 ..
drwxr-xr-x    2 node     node          4096 Oct 12 08:55 content
drwx------    2 root     root         16384 Jan 20 13:05 lost+found

问题:如何正确设置 WikiJS pod 写入其数据目录的权限?卷已安装,但应用程序无法创建所需的目录。

kubernetes

1 个回答

  1. Best Answer

    为了确保目录权限设置正确,以便 WikiJS 应用程序对已挂载卷具有写访问权限,您可以尝试使用initcontainers

    您可以修改部署 YAML 以包含用于设置正确权限的initContainer :

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-wikijs
  namespace: test
  labels:
    app: test-wikijs
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-wikijs
  template:
    metadata:
      labels:
        app: test-wikijs
    spec:
      initContainers:
      - name: init-permissions
        image: busybox
        command: ["sh", "-c", "chmod -R 777 /wiki/data && chown -R 1000:1000 /wiki/data"]
        volumeMounts:
        - name: wikijs-data
          mountPath: /wiki/data
      containers:
      - name: test-wikijs
        image: requarks/wiki:2.5
        ports:
        - containerPort: 3000
        env:
          - name: DB_TYPE
            valueFrom:
              configMapKeyRef:
                name: test-wikjs-config
                key: DB_TYPE
          - name: DB_HOST
            valueFrom:
              configMapKeyRef:
                name: test-wikjs-config
                key: DB_HOST
          - name: DB_PORT
            valueFrom:
              configMapKeyRef:
                name: test-wikjs-config
                key: DB_PORT
          - name: DB_NAME
            valueFrom:
              secretKeyRef:
                name: sql-secret
                key: POSTGRES_DB
          - name: DB_USER
            valueFrom:
              secretKeyRef:
                name: sql-secret
                key: POSTGRES_USER
          - name: DB_PASS
            valueFrom:
              secretKeyRef:
                name: sql-secret
                key: POSTGRES_PASSWORD
        volumeMounts:
        - name: wikijs-data
          mountPath: /wiki/data
      volumes:
      - name: wikijs-data
        persistentVolumeClaim:
          claimName: wikijs-data-pvc

    InitContainers在主 WikiJS 容器之前运行。chmod -R 777 /wiki/data: 命令确保所有用户对 /wiki/data 目录及其内容都具有读取、写入和执行权限。chown -R 1000:1000 /wiki/data: 命令有助于将 /wiki/data 目录及其内容的所有者更改为 UID 为 1000 和 GID 为 1000 的用户。因为 UID 1000 通常是 WikiJS 容器(节点)使用的用户。

    应用更新的部署后,您可以通过检查正在运行的 pod 中的 /wiki/data 目录来验证权限是否设置正确。

    kubectl exec -it <POD_NAME> -n test -- ls -la /wiki/data

    验证权限:应用更改后,使用以下命令验证权限是否正确设置

    kubectl exec -it -<pod-name> -n test -- ls -la /wiki/data

    另请查看由 Klinsmann Öteyo 编写的《在 Kubernetes 集群上安装和配置 Wiki.js》文档,它可能有助于解决该问题。

    • 1

相关问题