New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unexpected error storing fake SSL Cert: could not create PEM certificate file /etc/ingress-controller/ssl/default-fake-certificate.pem: open /etc/ingress-controller/ssl/default-fake-certificate.pem: permission denied #4061
Comments
i have checked it
|
|
For what it's worth, I ran into the very same issue using All of this hinted at issues with ACLs or xattrs on the binary, the cert directory,... so I ran a Google query and bumped into containerd/containerd#2942 Indeed, removing the images from the system, then upgrading to So, if your environment is using |
The `nginx-ingress-controller` container relies on filesystem extended attributes to allow permissions to the `nginx` binary and temporary storage ACLs. There's a bug in `containerd` 1.2.1 which causes such xattrs not to be properly unpacked from container image layers. To work-around this, we need a newer version, which is not packaged for CentOS/EPEL. However, since `containerd` is a pure Golang static binary, we can use a package from Fedora. See: kubernetes/ingress-nginx#4061 (comment) See: containerd/containerd#2942
yes,I ran ingress-nginx on docker,but the containerd version is 1.2.5,what is CRI?Suggest to upgrade containerd to containerd-1.2.4-1.fc30?
|
I am not suggesting anything at all, just providing some more information for the devs to dig into this issue, if applicable. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
In my case I used helm upgrade command without specifying the chart version, which caused that I used chart for nginx-ingress version 0.27.x with image version 0.26.2. There is a breaking change in the default of runAsUser attribute due to migration to Alpine linux. |
Solution: Change |
and this solution doesn't work with
Check user:
|
@alter can you double check that your ingress controller pods are running a version >= 0.27.0? I had the same issue but figured out that I had overwritten the image tag in my Helm values. |
I have the same problem with 0.32.0. The default runAsUser is already set to 101. Interestingly, it works well in one node but not in another in the cluster. I'm running it in daemonset mode. |
Have the same issue, I then proceeded to change the ingress controller version to 0.30.0, manually deleted the 0.32.0 image on the worker node and changed back the version to 0.32.0 Seems its working however lets see how long it will take. |
kubernetes/ingress-nginx#4061 (comment) Signed-off-by: Simão Reis <sreis@opstrace.com>
kubernetes/ingress-nginx#4061 (comment) Signed-off-by: Simão Reis <sreis@opstrace.com>
Helm Chart Version: 2.13.0 Controller was deployed about It is able to partially start with
If I add the
To further workaround this, I added
The deployment is finally "fixed". Any other combination results in the initial failure still. What caused this deployment to go haywire? |
- Update image reference - Update runAsUser following guidance at kubernetes/ingress-nginx#4061 - Add default IngressClass following guidance at https://kubernetes.github.io/ingress-nginx/#what-is-an-ingressclass-and-why-is-it-important-for-users-of-ingress-nginx-controller-now
I am using Only thing that solved the issue for me was setting the securityContext of the
That way it is not needed to use the Edit: it also allows the creation of the |
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):
What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):
Is this a BUG REPORT or FEATURE REQUEST? (choose one):
FEATURE REQUEST
NGINX Ingress controller version:
0.24.1
Kubernetes version (use
kubectl version
):v1.14.1
Environment:
uname -a
): 4.15.0-47-genericWhat happened:
I deploy ingress-nginx,then it is wrong
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-ingress-controller-5694ccb578-csn72 0/1 CrashLoopBackOff 8 20m 10.244.1.141 node2 <none> <none>
this is a part of log
W0503 09:23:37.549224 1 flags.go:214] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false) nginx version: nginx/1.15.6 W0503 09:23:37.559659 1 client_config.go:549] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. I0503 09:23:37.564858 1 main.go:205] Creating API client for https://10.96.0.1:443 I0503 09:23:37.618028 1 main.go:249] Running in Kubernetes cluster version v1.14 (v1.14.1) - git (clean) commit b7394102d6ef778017f2ca4046abbaa23b88c290 - platform linux/amd64 F0503 09:23:37.925586 1 main.go:121] unexpected error storing fake SSL Cert: could not create PEM certificate file /etc/ingress-controller/ssl/default-fake-certificate.pem: open /etc/ingress-controller/ssl/default-fake-certificate.pem: permission denied
What you expected to happen:
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know:
node1 is master, node2 is generic,I apply yaml file,then ingress-nginx pod was deploy in node2,it is relative to host permission?
The text was updated successfully, but these errors were encountered: