Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I give grafana user appropriate permission so that it can start successfully?

env:

kubernetes provider: gke
kubernetes version: v1.13.12-gke.25
grafana version: 6.6.2 (official image)

grafana deployment manifest:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
  namespace: monitoring
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      name: grafana
      labels:
        app: grafana
    spec:
      containers:
      - name: grafana
        image: grafana/grafana:6.6.2
        ports:
        - name: grafana
          containerPort: 3000
        # securityContext:
        #     runAsUser: 104
        #     allowPrivilegeEscalation: true
        resources:
          limits:
            memory: "1Gi"
            cpu: "500m"
          requests: 
            memory: "500Mi"
            cpu: "100m"
        volumeMounts:
          - mountPath: /var/lib/grafana
            name: grafana-storage
      volumes:
        - name: grafana-storage
          persistentVolumeClaim:
              claimName: grafana-pvc

Problem

when I deployed this grafana dashboard first time, its working fine. after sometime I restarted the pod to check whether volume mount is working or not. after restarting, I getting below error.

mkdir: can't create directory '/var/lib/grafana/plugins': Permission denied
GF_PATHS_DATA='/var/lib/grafana' is not writable.
You may have issues with file permissions, more information here: http://docs.grafana.org/installation/docker/#migration-from-a-previous-version-of-the-docker-container-to-5-1-or-later

what I understand from this error, user could create these files. How can I give this user appropriate permission to start grafana successfully?

like image 747
Abu Hanifa Avatar asked Mar 17 '20 17:03

Abu Hanifa


People also ask

How do I give permission to a folder in Grafana?

Granting folder permissionsIn the sidebar, pause on the Dashboards (squares) icon, and then choose Manage. Pause on a folder, and then choose Go to folder. On the Permissions tab, choose Add Permission. In the Add Permission For dialog box, choose User, Team, or one of the role options.

How do I create a username and password for Grafana?

In Username, enter the username that the user will use to log in. In Password, enter a password. The user can change their password once they log in. Click Create user to create the user account.


1 Answers

I recreated your deployment with appropriate PVC and noticed that grafana pod was failing.

Output of command: $ kubectl get pods -n monitoring

NAME READY STATUS RESTARTS AGE
grafana-6466cd95b5-4g95f 0/1 Error  2  65s

Further investigation pointed the same errors as yours:

mkdir: can't create directory '/var/lib/grafana/plugins': Permission denied
GF_PATHS_DATA='/var/lib/grafana' is not writable.
You may have issues with file permissions, more information here: http://docs.grafana.org/installation/docker/#migration-from-a-previous-version-of-the-docker-container-to-5-1-or-later

This error showed on first creation of a pod and the deployment. There was no need to recreate any pods.

What I did to make it work was to edit your deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
  namespace: monitoring
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      name: grafana
      labels:
        app: grafana
    spec:
      securityContext:
          runAsUser: 472
          fsGroup: 472
      containers:
      - name: grafana
        image: grafana/grafana:6.6.2
        ports:
        - name: grafana
          containerPort: 3000
        resources:
          limits:
            memory: "1Gi"
            cpu: "500m"
          requests:
            memory: "500Mi"
            cpu: "100m"
        volumeMounts:
          - mountPath: /var/lib/grafana
            name: grafana-storage
      volumes:
        - name: grafana-storage
          persistentVolumeClaim:
              claimName: grafana-pvc

Please take a specific look on part:

      securityContext:
          runAsUser: 472
          fsGroup: 472

It is a setting described in official documentation: Kubernetes.io: set the security context for a pod

Please take a look on this Github issue which is similar to yours and pointed me to solution that allowed pod to spawn correctly:

  • https://github.com/grafana/grafana-docker/issues/167

Grafana had some major updates starting from version 5.1. Please take a look: Grafana.com: Docs: Migrate to v5.1 or later

Please let me know if this helps.

like image 177
Dawid Kruk Avatar answered Sep 19 '22 14:09

Dawid Kruk