0

I've been following the instructions on github to setup an azure files volume.

apiVersion: v1
kind: Secret
metadata:
name: azure-files-secret
type: Opaque
data:
  azurestorageaccountname: Yn...redacted...=
  azurestorageaccountkey: 3+w52/...redacted...MKeiiJyg==

I then in my pod config have:

...stuff
volumeMounts:
  - mountPath: /var/ccd
  name: openvpn-ccd
...more stuff
volumes:
    - name: openvpn-ccd
      azureFile:
        secretName: azure-files-secret
        shareName: az-files
        readOnly: false

Creating the containers then fails:

 MountVolume.SetUp failed for volume "kubernetes.io/azure-file/007adb39-30df-11e7-b61e-000d3ab6ece2-openvpn-ccd" (spec.Name: "openvpn-ccd") pod "007adb39-30df-11e7-b61e-000d3ab6ece2" (UID: "007adb39-30df-11e7-b61e-000d3ab6ece2") with: mount failed: exit status 32 Mounting command: mount Mounting arguments: //xxx.file.core.windows.net/az-files /var/lib/kubelet/pods/007adb39-30df-11e7-b61e-000d3ab6ece2/volumes/kubernetes.io~azure-file/openvpn-ccd cifs [vers=3.0,username=xxx,password=xxx,dir_mode=0777,file_mode=0777] Output: mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

I was previously getting password errors, as I hadn't base64 encoded the account key, but that has resolved now, and I get the more generic Permission denied error, which I suspect is maybe on the mount point, rather than the file storage. In any case, I need advice on how to troubleshoot further please?

Chris
  • 1,241
  • 1
  • 14
  • 33
  • Do you need to use a previously created storage account? You can also specify your `.yaml` file to create an Azure Storage for you. – radu-matei May 05 '17 at 09:09
  • @radu-matei thanks - can you advise on the location of the docs for that, I'm struggling to see much? I'd rather use an existing storage account and share, but its not essential... – Chris May 05 '17 at 10:09

1 Answers1

0

This appears to be an auth error to your storage account. Un-base64 your password, and then validate using an ubuntu image in the same region as the storage account.

Here is a sample script to validate the Azure Files share correctly mounts:

if [ $# -ne 3 ]
then
 echo "you must pass arguments STORAGEACCOUNT STORAGEACCOUNTKEY SHARE"
 exit 1
fi

ACCOUNT=$1
ACCOUNTKEY=$2
SHARE=$3
MOUNTSHARE=/mnt/${SHARE}

apt-get update && apt-get install -y cifs-utils

mkdir -p /mnt/$SHARE
mount -t cifs //${ACCOUNT}.file.core.windows.net/${SHARE} ${MOUNTSHARE} -o vers=2.1,username=${ACCOUNT},password=${ACCOUNTKEY}
A Howe
  • 122
  • 2
  • I've no way of proving its an auth error (or not). I've tried the ubuntu image already, it works, doesn't work on the ACS node(s) running the container. (In the same region.) I was using -o vers=3.0 as the kubernetes node is... but it still worked on ubuntu and not kube. I tried a VM in a different region and got the same "Permission Denied" error. Everything in my ACS and File storage is in North Europe region. And this is reproducible across multiple ACS clusters (as I rebuild it each day while in development) – Chris May 08 '17 at 21:06
  • Thanks for the confirmation, I'll try to repro on my side. In the meantime, can you double confirm you used the value for password you stored in kubernetes (unbase64 it), not the password copied from portal/cli. – A Howe May 09 '17 at 01:44
  • Yeah, I copied it from the error message, as its sitting in full there.... same password worked on ubuntu – Chris May 09 '17 at 07:28
  • I've also now tried this on an agent itself by hand, and with sudo, it works... full reproduce here: https://github.com/kubernetes/kubernetes/issues/45827 – Chris May 15 '17 at 15:30