Percona MongoDB EKS with EFS, the second StatefulSet instances fails to access EFS

lucasbrazi06 · August 10, 2024, 3:26pm

Description:

When using an EFS storage, each MongoDB StatefulSet instance uses a security user/group (1000/1000) that doesn’t change.
So the first MongoDB stateful set instance with user/group 1000/1000 creates a PVC which creates an EFS access point with user/group 1000/1000 and starts up successfully because user/group of the instance matches the user/group of the EFS access point.
The second MongoDB stateful set instance with user/group 1000/1000 creates a PVC which creates an access point in the EFS but with user/group 1001:1001 and fails to start because it the instance user/group does not match the EFS access point anymore.
Do you have an idea of to user incremental user/group in MongoDB StatefulSet instances.
Does Percona MongoDB works with EFS file system?

Steps to Reproduce:

Create an EKS Cluster
Create an EFS file system
Create a Storage Class that points to the EFS
Deploy Percona using the Storage class above
The first MongoDB instance starts successfully with user/group 1000/1000
The second instance fails with user/group 1000/1000 as it needs user/group 1001/1001.

Version:

psmdb-operator:1.16.2
psmdb-db:1.16.2

Logs:

[1723303181:183107][1:0x7f7e346e7080], connection: [WT_VERB_DEFAULT][ERROR]: __posix_open_file, 815: /data/db/key.db/WiredTiger.wt: handle-open: open: File exists
[1723303181:187974][1:0x7f7e346e7080], connection: [WT_VERB_BLOCK][NOTICE]: unexpected file WiredTiger.wt found, renamed to WiredTiger.wt.6
[1723303181:193852][1:0x7f7e346e7080], connection: [WT_VERB_DEFAULT][ERROR]: __posix_open_file, 815: /data/db/key.db/WiredTiger.wt: handle-open: open: Operation not permitted
[1723303181:223974][1:0x7f7e346e7080], connection: [WT_VERB_DEFAULT][ERROR]: __posix_open_file, 815: /data/db/key.db/WiredTiger.wt: handle-open: open: File exists
[1723303181:230089][1:0x7f7e346e7080], connection: [WT_VERB_BLOCK][NOTICE]: unexpected file WiredTiger.wt found, renamed to WiredTiger.wt.7
[1723303181:235565][1:0x7f7e346e7080], connection: [WT_VERB_DEFAULT][ERROR]: __posix_open_file, 815: /data/db/key.db/WiredTiger.wt: handle-open: open: Operation not permitted
[1723303181:267552][1:0x7f7e346e7080], connection: [WT_VERB_DEFAULT][ERROR]: __posix_open_file, 815: /data/db/key.db/WiredTiger.wt: handle-open: open: File exists
[1723303181:273529][1:0x7f7e346e7080], connection: [WT_VERB_BLOCK][NOTICE]: unexpected file WiredTiger.wt found, renamed to WiredTiger.wt.8
[1723303181:277818][1:0x7f7e346e7080], connection: [WT_VERB_DEFAULT][ERROR]: __posix_open_file, 815: /data/db/key.db/WiredTiger.wt: handle-open: open: Operation not permitted

Expected Result:

Should be able to access the file system, the first instance has the good user/group container security context 1000/1000 but the second instance should have 1001/1001to successfully access the EFS instead of 1000/1000.

Actual Result:

The second instance should have the security context set to 1001/1001 and the third 1002/1002.

lucasbrazi06 · August 10, 2024, 5:24pm

Maybe I should use EBS instead of EFS ???

lucasbrazi06 · August 12, 2024, 10:54am

I recreated the EFS with fixed user/group ID of 1001/1001 using EFS params gid/uid when creating the Storage Class instead of providing a range of user/group IDs (EFS params gidRangeStart/gidRangeEnd) and it’s working.

github.com

kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md

[![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes-sigs/aws-efs-csi-driver)](https://goreportcard.com/report/github.com/kubernetes-sigs/aws-efs-csi-driver)

## Amazon EFS CSI Driver

The [Amazon Elastic File System](https://aws.amazon.com/efs/) Container Storage Interface (CSI) Driver implements the [CSI](https://github.com/container-storage-interface/spec/blob/master/spec.md) specification for container orchestrators to manage the lifecycle of Amazon EFS file systems.

### CSI Specification Compatibility Matrix
| Amazon EFS CSI Driver \ CSI Spec Version | v0.3.0| v1.1.0 | v1.2.0 |
|------------------------------------------|-------|--------|--------|
| master branch                            | no    | no     | yes    |
| v2.x.x                                   | no    | no     | yes    |
| v1.x.x                                   | no    | no     | yes    |
| v0.3.0                                   | no    | yes    | no     |
| v0.2.0                                   | no    | yes    | no     |
| v0.1.0                                   | yes   | no     | no     |

## Features
Amazon EFS CSI driver supports dynamic provisioning and static provisioning.
Currently, Dynamic Provisioning creates an access point for each PV. This mean an Amazon EFS file system has to be created manually on AWS first and should be provided as an input to the storage class parameter.
For static provisioning, the Amazon EFS file system needs to be created manually on AWS first. After that, it can be mounted inside a container as a volume using the driver.

This file has been truncated. show original

Sergey_Pronin · August 19, 2024, 8:45am

@lucasbrazi06 glad that you got it working!

Is there any particular reason why are you using EFS vs EBS?

Topic		Replies	Views
Percona MongoDB Server on AWS Fargate EKS - Assistance with deployment YAML Percona Server for MongoDB percona	2	925	September 23, 2022
HA mongodb CE statefulset to percona mongodb with operator Percona Operator for MongoDB percona , mongodb , psmdb-operator	1	575	October 19, 2023
MongoDB Cluster IPv6, Replicaset initialization is failing Percona Operator for MongoDB percona	7	1281	July 13, 2022
Unable to start mongodb operator on EKS Percona Operator for MongoDB	1	427	February 26, 2024
Mongo-init Permission denied Percona Operator for MongoDB	2	1270	November 14, 2022