Issue with file permissions setting up Couchbase Backup using Operator

I am trying to setup Couchbase cluster backup using Operator on Google Cloud.

It seems like jobs created by the operator has issues with file permissions:

Found 2 pods, using pod/ds-couchbase-backup-full-27681645-shmjf
Traceback (most recent call last):
  File "/usr/local/bin/backup.py", line 1213, in <module>
    Backup(context).run()
  File "/usr/local/bin/backup.py", line 378, in run
    self._setup_logging()
  File "/usr/local/bin/backup.py", line 1123, in _setup_logging
    os.makedirs(self.context.log_path, exist_ok=True)
  File "/usr/lib/python3.8/os.py", line 223, in makedirs
    mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/data/scriptlogs'

I found in the documentation that it may be needed to set security context CouchbaseCluster Resource | Couchbase Docs.

But for some reason the image operator use for backup (couchbase/operator-backup:1.3.0) has different id for Couchbase user than the one used to run cluster nodes (couchbase/server:7.1.1) - 8453 instead of 1000.

Can you suggest how to fix this issue?

It seems that the issue with disk permissions was solved in image couchbase/operator-backup:1.3.1.

But there is another one - backup pods have TLS secret mounted, but no CA certificate (which is according to this tutorial is in another k8s secret Configure TLS | Couchbase Docs) and therefore cbbackupmgr returns this error:

2022-08-19T10:21:39.425+00:00 (Cmd) Error backing up cluster: open /var/run/secrets/couchbase.com/tls-mount/ca.crt: no such file or directory

Any ideas how to solve this?

UPD: newer image wasn’t the solution. While looking for backup logs and creating job manually as described in Configure Automated Backup and Restore | Couchbase Docs - I managed to run backup by adding security context as:

...
      securityContext:
        fsGroup: 8453

After this the backup job itself can also run successfully even so it doesn’t have security context configured.

In case anyone has the same issue - manually adding ca.crt to the couchbase-server-tls secret helped to solve this problem.

1 Like