Comments (14)
@Xaviou1003 Currently AKS managed blob csi driver doesn't support this feature yet, so, if you want to try this feature, you have to disable the managed blob csi driver by running az aks update --disable-blob-driver
first and then install the open-source blob csi driver manually by following the steps above. We will support this feature in managed blob csi driver from AKS v1.29.
from blob-csi-driver.
After I have installed csi driver with chart helm, the csi driver works perfectly.
For your information when I installed csi driver the first time, I disabled the default aks blob driver with az aks update --disable-blob-driver
.
I followed the installation guideline that provide here but csi driver seems not to be up to date.
And I see you just fix this problem with this pr.
@andyzhangx and @cvvz Thanks a lot for your help.
from blob-csi-driver.
/kind bug
from blob-csi-driver.
@Xaviou1003 have you specified serviceAccountName
in your pod spec? if yes, could you paste all spec you have set?
from blob-csi-driver.
@andyzhangx Thanks for your answer.
Yes I provided serviceAccountName in my pod dspec.
You can find my spec below (I just mask my client id):
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
name: csi-blob
namespace: cloudplatform-backend
annotations:
azure.workload.identity/client-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
labels:
azure.workload.identity/use: "true"
---
apiVersion: v1
kind: PersistentVolume
metadata:
annotations:
pv.kubernetes.io/provisioned-by: blob.csi.azure.com
name: pv-blob
namespace: cloudplatform-backend
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: blob-fuse
mountOptions:
- -o allow_other
- --file-cache-timeout-in-seconds=120
csi:
driver: blob.csi.azure.com
# make sure volumeid is unique for every storage blob container in the cluster
# the # character is reserved for internal use, the / character is not allowed
volumeHandle: rg#stgmakspocvolumetst#pvctest
volumeAttributes:
storageAccount: stgmakspocvolumetst
containerName: pvctest # required
resourceGroup: rg-aks-tst # optional, specified when the storage account is not under AKS node resource group(which is prefixed with "MC_")
clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # required
# tenantID: $IDENTITY_TENANT #optional, only specified when workload identity and AKS cluster are in different tenant
# subscriptionid: $SUBSCRIPTION #optional, only specified when workload identity and AKS cluster are in different subscription
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: statefulset-blob
namespace: cloudplatform-backend
labels:
app: nginx
azure.workload.identity/use: "true"
spec:
serviceName: statefulset-blob
replicas: 1
template:
metadata:
labels:
app: nginx
azure.workload.identity/use: "true"
spec:
serviceAccountName: csi-blob #required, Pod does not use this service account has no permission to mount the volume
nodeSelector:
"kubernetes.io/os": linux
containers:
- name: statefulset-blob
image: artifactory-tst.tkub-tst3d5.az.groupemutuel.ch/docker/ops/alpine-gm:3.17
lifecycle:
preStop:
exec:
command:
- "/bin/sh"
- "-c"
- rm /mnt/blob/*
command:
- "/bin/sh"
- "-c"
- set -euo pipefail; while true; do echo $(date) >> /mnt/blob/outfile; sleep 1; done
volumeMounts:
- name: pv-blob
mountPath: /mnt/blob
readOnly: false
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app: nginx
volumeClaimTemplates:
- metadata:
name: pv-blob
spec:
storageClassName: blob-fuse
accessModes: ["ReadWriteMany"]
resources:
requests:
storage: 10Gi
from blob-csi-driver.
Hello @andyzhangx,
Have you had time to look at this problem?
from blob-csi-driver.
/assign @cvvz
from blob-csi-driver.
@Xaviou1003 Could you share the full logs of csi driver? The log message Skip NodeStageVolume for volume(rg#xxxxxx#xxxx) since clientID xxxxxxxx-xxxx-xxxx-xxxxxxxxx is provided but service account token is empty.
is normal and we need more logs to investigate what exactly happened.
from blob-csi-driver.
@cvvz yes, of course.
The full log of csi-blob-node:
utils.go:110] GRPC response: {}
nodeserver.go:156] NodePublishVolume: volume rg#stgmakspocvolumetst#pvctest mount /var/lib/kubelet/plugins/kubernetes.io/csi/blob.csi.azure.com/e671026d6647fcedc52e6b5b45dc122d700ded97a38d615a131eabf8cff69883/globalmount at /var/lib/kubelet/pods/4f0c9e90-26a9-4033-83ce-301a30fdea0e/volumes/kubernetes.io~csi/pv-blob/mount successfully
mount_linux.go:218] Mounting cmd (mount) with arguments ( -o bind,remount /var/lib/kubelet/plugins/kubernetes.io/csi/blob.csi.azure.com/e671026d6647fcedc52e6b5b45dc122d700ded97a38d615a131eabf8cff69883/globalmount /var/lib/kubelet/pods/4f0c9e90-26a9-4033-83ce-301a30fdea0e/volumes/kubernetes.io~csi/pv-blob/mount)
mount_linux.go:218] Mounting cmd (mount) with arguments ( -o bind /var/lib/kubelet/plugins/kubernetes.io/csi/blob.csi.azure.com/e671026d6647fcedc52e6b5b45dc122d700ded97a38d615a131eabf8cff69883/globalmount /var/lib/kubelet/pods/4f0c9e90-26a9-4033-83ce-301a30fdea0e/volumes/kubernetes.io~csi/pv-blob/mount)
nodeserver.go:140] NodePublishVolume: volume rg#stgmakspocvolumetst#pvctest mounting /var/lib/kubelet/plugins/kubernetes.io/csi/blob.csi.azure.com/e671026d6647fcedc52e6b5b45dc122d700ded97a38d615a131eabf8cff69883/globalmount at /var/lib/kubelet/pods/4f0c9e90-26a9-4033-83ce-301a30fdea0e/volumes/kubernetes.io~csi/pv-blob/mount with mountOptions: [bind]
utils.go:104] GRPC request: {"staging_target_path":"/var/lib/kubelet/plugins/kubernetes.io/csi/blob.csi.azure.com/e671026d6647fcedc52e6b5b45dc122d700ded97a38d615a131eabf8cff69883/globalmount","target_path":"/var/lib/kubelet/pods/4f0c9e90-26a9-4033-83ce-301a30fdea0e/volumes/kubernetes.io~csi/pv-blob/mount","volume_capability":{"AccessType":{"Mount":{"mount_flags":["-o allow_other","--file-cache-timeout-in-seconds=120"]}},"access_mode":{"mode":5}},"volume_context":{"clientID":"xxxxxxxx-xxxx-xxxx-xxxxxxxxx","containerName":"pvctest","csi.storage.k8s.io/ephemeral":"false","csi.storage.k8s.io/pod.name":"statefulset-blob-0","csi.storage.k8s.io/pod.namespace":"cloudplatform-backend","csi.storage.k8s.io/pod.uid":"4f0c9e90-26a9-4033-83ce-301a30fdea0e","csi.storage.k8s.io/serviceAccount.name":"csi-blob","resourceGroup":"rg-aks-tst","storageAccount":"stgmakspocvolumetst"},"volume_id":"rg#stgmakspocvolumetst#pvctest"}
utils.go:103] GRPC call: /csi.v1.Node/NodePublishVolume
utils.go:110] GRPC response: {}
nodeserver.go:256] Skip NodeStageVolume for volume(rg#stgmakspocvolumetst#pvctest) since clientID xxxxxxxx-xxxx-xxxx-xxxxxxxxx is provided but service account token is empty
utils.go:104] GRPC request: {"staging_target_path":"/var/lib/kubelet/plugins/kubernetes.io/csi/blob.csi.azure.com/e671026d6647fcedc52e6b5b45dc122d700ded97a38d615a131eabf8cff69883/globalmount","volume_capability":{"AccessType":{"Mount":{"mount_flags":["-o allow_other","--file-cache-timeout-in-seconds=120"]}},"access_mode":{"mode":5}},"volume_context":{"clientID":"xxxxxxxx-xxxx-xxxx-xxxxxxxxx","containerName":"pvctest","resourceGroup":"rg-aks-tst","storageAccount":"stgmakspocvolumetst"},"volume_id":"rg#stgmakspocvolumetst#pvctest"}
utils.go:103] GRPC call: /csi.v1.Node/NodeStageVolume
from blob-csi-driver.
Thanks, could you also get the kubelet logs?
from blob-csi-driver.
And please run kubectl get csidriver
and paste the output
from blob-csi-driver.
kubectl get csidriver
NAME ATTACHREQUIRED PODINFOONMOUNT STORAGECAPACITY TOKENREQUESTS REQUIRESREPUBLISH MODES AGE
blob.csi.azure.com false true false <unset> false Persistent,Ephemeral 13d
csi.tigera.io true true false <unset> false Ephemeral 289d
disk.csi.azure.com true false false <unset> false Persistent 448d
kubelet log :
reconciler_common.go:253] "operationExecutor.VerifyControllerAttachedVolume started for volume \"pv-blob\" (UniqueName: \"kubernetes.io/csi/blob.csi.azure.com^rg#stgmakspocvolumetst#pvctest\") pod \"statefulset-blob-0\" (UID: \"f5e37abd-3eae-4e9e-a03c-af11854f1306\") " pod="cloudplatform-backend/statefulset-blob-0"
reconciler_common.go:228] "operationExecutor.MountVolume started for volume \"pv-blob\" (UniqueName: \"kubernetes.io/csi/blob.csi.azure.com^rg#stgmakspocvolumetst#pvctest\") pod \"statefulset-blob-0\" (UID: \"f5e37abd-3eae-4e9e-a03c-af11854f1306\") " pod="cloudplatform-backend/statefulset-blob-0"
operation_generator.go:662] "MountVolume.MountDevice succeeded for volume \"pv-blob\" (UniqueName: \"kubernetes.io/csi/blob.csi.azure.com^rg#stgmakspocvolumetst#pvctest\") pod \"statefulset-blob-0\" (UID: \"f5e37abd-3eae-4e9e-a03c-af11854f1306\") device mount path \"/var/lib/kubelet/plugins/kubernetes.io/csi/blob.csi.azure.com/e671026d6647fcedc52e6b5b45dc122d700ded97a38d615a131eabf8cff69883/globalmount\"" pod="cloudplatform-backend/statefulset-blob-0"
operation_generator.go:744] "MountVolume.SetUp succeeded for volume \"pv-blob\" (UniqueName: \"kubernetes.io/csi/blob.csi.azure.com^rg#stgmakspocvolumetst#pvctest\") pod \"statefulset-blob-0\" (UID: \"f5e37abd-3eae-4e9e-a03c-af11854f1306\") " pod="cloudplatform-backend/statefulset-blob-0"
operation_generator.go:744] "MountVolume.SetUp succeeded for volume \"kube-api-access-hk2mq\" (UniqueName: \"kubernetes.io/projected/f5e37abd-3eae-4e9e-a03c-af11854f1306-kube-api-access-hk2mq\") pod \"statefulset-blob-0\" (UID: \"f5e37abd-3eae-4e9e-a03c-af11854f1306\") " pod="cloudplatform-backend/statefulset-blob-0"
operation_generator.go:744] "MountVolume.SetUp succeeded for volume \"azure-identity-token\" (UniqueName: \"kubernetes.io/projected/f5e37abd-3eae-4e9e-a03c-af11854f1306-azure-identity-token\") pod \"statefulset-blob-0\" (UID: \"f5e37abd-3eae-4e9e-a03c-af11854f1306\") " pod="cloudplatform-backend/statefulset-blob-0"
util.go:30] "No sandbox for pod can be found. Need to start a new one" pod="cloudplatform-backend/statefulset-blob-0"
kubelet.go:2231] "SyncLoop (PLEG): event for pod" pod="cloudplatform-backend/statefulset-blob-0" event=&{ID:f5e37abd-3eae-4e9e-a03c-af11854f1306 Type:ContainerStarted Data:49bb4893c7da67ed2da1ce317818f74bc2bbfcfeaf957f941e55f13649912f69}
kubelet.go:2231] "SyncLoop (PLEG): event for pod" pod="cloudplatform-backend/statefulset-blob-0" event=&{ID:f5e37abd-3eae-4e9e-a03c-af11854f1306 Type:ContainerStarted Data:2244679131653363f75aa491b9e14296fa42ade4e8e053769d1906fb7305e5f2}
from blob-csi-driver.
You didn't install blob csi driver correctly. If the csi driver was installed correctly, then the TOKENREQUESTS
field should be api://AzureADTokenExchange
, it was unset currently.
kubectl get csidriver
NAME ATTACHREQUIRED PODINFOONMOUNT STORAGECAPACITY **TOKENREQUESTS** REQUIRESREPUBLISH MODES AGE
blob.csi.azure.com false true false **<unset>** false Persistent,Ephemeral 13d
You can uninstall the existing blob csi driver first and use below steps to re-install blob csi driver and try again:
helm repo add blob-csi-driver https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/charts
helm repo update blob-csi-driver
helm install blob-csi-driver blob-csi-driver/blob-csi-driver \
--set node.enableBlobfuseProxy=true \
--set node.blobfuseProxy.installBlobfuse=false \
--set node.blobfuseProxy.installBlobfuse2=false \
--namespace kube-system \
--version v1.23.3
from blob-csi-driver.
@Xaviou1003 if you have installed open source driver, then you could use following command to update blob.csi.azure.com
csidriver
object, and then retry should work.
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/csi-blob-driver.yaml
from blob-csi-driver.
Related Issues (20)
- AZNFS protocol mounts volume with different permissions than NFS protocol HOT 1
- can't install helm Chart 1.23.1 (tag not in master)
- To update the notes around Blobfuse-proxy supportability on OpenShift HOT 2
- Updating the csi-driver causes all mounted blob to lose their connections HOT 1
- Failure to mount storage account in pod when --default-working-dir is not specified in Azure Redhat Openshift HOT 8
- Init Container returns with a non-zero causing the helm chart to fail HOT 4
- Something is off with blobfuse-proxy on 1.23.2 release HOT 9
- Install Script for blobfuse-proxy does not respect alternate kubelet csi directory HOT 6
- Support refresh of SAS token (re-reading it from KeyVault, updating the mount) HOT 4
- nconnect mount option does not work with aznfs mount in Azure linux distro HOT 2
- rm -rf failed with "Directory not empty" HOT 7
- Failing install-blobfuse-proxy init container since helm chart version v1.23.2 HOT 2
- Logs for blobfuse2 diverge from its source documentation HOT 12
- CSI in-line volume setup intermittently fails with `config error in azstorage [account name not provided]` HOT 15
- Workload Identity requires Access Keys on Azure Storage Account to be enabled HOT 4
- Ubuntu 22.04 affecting ability to install blobfuse proxy HOT 1
- PV gets stuck intermittently terminating HOT 9
- "install-blobfuse-proxy" container fails on OpenShift (error copying blobfuse2 - "Text file busy") HOT 3
- Can this be used on the open source Kubenetes? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from blob-csi-driver.