New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Datastore: Calls to Put hang when run inside Kubernetes cluster, fine out of cluster. #928
Comments
I tried to replicate this. I wrote the following program:
I made a docker container for it:
(Note the environment variable enabling gRPC logging.) I tagged and pushed it:
I wrote a pod yaml:
Then I ran it on my GKE cluster and grabbed the output:
Could you duplicate that and see if it works? If it does, how do your real code and commands differ from these? |
Thanks for looking into this! I put that code into my setup in addition to the Here's what I got in the logs:
|
Could you be using alpine? See #791. |
Ah! Yes I am running it on alpine. Adding |
Jeffd, if we have a multi-build container, would you running that 'apk add ca-certificates' in the build portion or the second stage, or both? Using golang:alpine for the builder stage and alpine:latest for the copy-from-builder final stage. Also running the 'RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo' for building the Go binary, gRPC's still hang no matter what we try. Below are the gRPC logs:
|
On Google Cloud Platform, starting an instance from docker image (VM with Container-Optimized OS), built from scratch and adding a compiled golang app (bin), setting the GRPC_GO_LOG_SEVERITY_LEVEL to INFO also shows the underlying grpc call for a datastoreClient.Put() fails silently due to x509 unknown certificate authority. My docker Image is based on scratch and only contains the bin and opens 80/443 ports. Since this is not based on Alpine but scratch I can not do the magic Any other way to include ca-certificates ? ... I'm migrating from appengine, where I did not need to use the client.Put() but an older package where I just called datastore.Put(ctx,key,entity) ... So I did not car about TLS, grpc and certificates ... Somebody has an idea on that? |
@JohnAntonusMaximus the first stage of the Docker build should be to build your golang bin and import/test things, the second stage should start from a scratch image and copy only the artifacts for the app if I understood it well |
@twiggg The scratch distro appears to have a package manager https://github.com/emmett1/scratchpkg. I would imagine you could add it using this. |
I finally just used a multi-stage docker image, which 1) installs
certificates from an alpine image then 2) creates the final image from
scratch, copying my app's binary and certificates.
Works fine
Le jeu. 27 déc. 2018 à 10:15, Jean de Klerk <notifications@github.com> a
écrit :
… @twiggg <https://github.com/twiggg> The scratch distro appears to have a
package manager https://github.com/emmett1/scratchpkg. I would imagine
you could add it using this.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#928 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AKx8lBBsL8O61HNVwNS7BBXiw6BjCdxPks5u9I-WgaJpZM4SjrAi>
.
|
Thanks for posting this. I was using debian-slim and had this problem. Had to add a line |
I've been having an issue that I cannot figure out or even properly debug. When developing locally with
"cloud.google.com/go/datastore"
on Kubernetes using an in-cluster configuration, I can write to Cloud Datastore just fine. However when I deploy it on my cluster, my programs hangs and never returns once.Put(...
is called on my datastore client. I don't get any output whatsoever. I've been able to get rudimentary gdb access to a running process on my cluster but have not been able to figure out what is going wrong or where the code is getting stuck.I have followed the directions here.
I have tried loading my service account file by these two methods.
Both work in creating a valid client.
I also tried moving to new nodes with more permissions enabled with:
The permissions to my cluster looks like this:
My service account has the role of
Cloud Datastore User
andOwner
for good measure.What are other things to check for when running on Kubernetes from within the cluster? Is there any good way to debug this to get logs as to what's happening?
The text was updated successfully, but these errors were encountered: