Skip to content

RKE2 etcd Restore Fails with "Permission Denied" Error Due to umask Value

Article Number: 000021955

Environment

Suse Rancher 2.x
RKE2 imported cluster

Situation

When attempting to restore etcd on an imported RKE2 cluster using the command "rke2 server --cluster-reset --cluster-reset-restore-path=<PATH-TO-SNAPSHOT>", as the root user, the operation fails with the following error messages from the etcd container:

failed to verify flags", "error":"open /var/lib/rancher/rke2/server/db/etcd/config: permission denied"

Cause

A more restrictive umask of 0027 sets the default permissions to rwxr-x---, which means files and directories are not writable by the group or others, which is required by etcd to be able to read/write it's config and data.

During the etcd restore process, RKE2 attempts to access or create files within the /var/lib/rancher/rke2/server/db/etcd/ directory. The restrictive umask of 0027 prevents the necessary read/write access for the process, resulting in the "permission denied" error.

Resolution

Change the operating system's umask value to 0022 before performing the etcd restore. A umask of 0022 sets the default permissions to rwxr-xr-x, which grants read and execute permissions to the group and others, while maintaining write permissions for the owner.

Stop the RKE2 service

systemctl stop rke2-server

Change the umask value temporarily

umask 0022

Execute the restore command

rke2 server --cluster-reset --cluster-reset-restore-path=<PATH-TO-SNAPSHOT>

Start the rke2 service

systemctl start rke2-server