Skip to content

RKE2 etcd Restore Fails with "Permission Denied" Error Due to umask Value

This document (000021955) is provided subject to the disclaimer at the end of this document.

Environment

Suse Rancher 2.x

RKE2 imported cluster

Situation

When attempting to restore etcd on an imported RKE2 cluster using the command " rke2 server --cluster-reset --cluster-reset-restore-path=<PATH-TO-SNAPSHOT>", as the root user, the operation fails with the following error messages from the etcd container:

failed to verify flags", "error":"open /var/lib/rancher/rke2/server/db/etcd/config: permission denied"

Resolution

Change the operating system's umask value to 0022 before performing the etcd restore. A umask of 0022 sets the default permissions to rwxr-xr-x, which grants read and execute permissions to the group and others, while maintaining write permissions for the owner.

Stop the RKE2 service

systemctl stop rke2-server

Change the umask value temporarily

umask 0022

Execute the restore command

rke2 server --cluster-reset --cluster-reset-restore-path=<PATH-TO-SNAPSHOT>

Start the rke2 service

systemctl start rke2-server

Cause

A more restrictive umask of 0027 sets the default permissions to rwxr-x---, which means files and directories are not writable by the group or others, which is required by etcd to be able to read/write it's config and data.

During the etcd restore process, RKE2 attempts to access or create files within the /var/lib/rancher/rke2/server/db/etcd/ directory. The restrictive umask of 0027 prevents the necessary read/write access for the process, resulting in the "permission denied" error.

Status

Top Issue

Additional Information

https://github.com/rancher/rke2/issues/4679#issuecomment-1692870875

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.