Troubleshooting Db2 filesystem pods

When deploying Guardium® Insights on IBM Cloud, you may notice issues with the Db2 pods on the filesystem.

Symptoms

The uid and gid are randomly assigned a value of 99:

Causes

The uid and gid are not properly mapped.

Resolving the problem

To resolve this, a norootsquash daemonset must be created on the kube-system namespace beforeGuardium Insights deployment. This daemonset is used for ID mapping on IBM Cloud storage. For more information, see https://cloud.ibm.com/docs/FileStorage?topic=FileStorage-mountingLinux&interface=ui#norootsquash.

  1. Set up your environment for the daemonset by issuing these commands:
    export CP_REPO_USER=<Your Username to cp.icr.io>
    export CP_REPO_PASS=<Your Password / Entitlement Key to cp.icr.io>

    where

  2. Create the secret for pulling the norootsquash daemonset image from cp.icr.io registry:
    oc create secret docker-registry cpregistrysecret --docker-server=cp.icr.io/cp/cpd --docker-username=${CP_REPO_USER} --docker-password=${CP_REPO_PASS} -n kube-system
  3. Create the daemonset on the kube-system namespace:
    oc create -f - << EOF
    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: norootsquash
      namespace: kube-system
      labels:
        tier: management
        app: norootsquash
    spec:
      selector:
        matchLabels:
          name: norootsquash
      template:
        metadata:
          labels:
            name: norootsquash
        spec:
          hostNetwork: true
          hostPID: true
          hostIPC: true
          containers:
            - resources:
                requests:
                  cpu: 0.01
              name: systemdutil01
              image: cp.icr.io/cp/cpd/norootsquash:3.0-amd64
              imagePullPolicy: Always
              args: ["-option", "restart", "-service", "nfs-idmapd.service"]
              volumeMounts:
              - mountPath: /host/etc
                name: host-etc
              - mountPath: /host/var/log
                name: host-log
                readOnly: true
              - mountPath: /run/systemd
                name: host-systemd
              - mountPath: /host/sys
                name: host-sys
          imagePullSecrets:
          - name: cpregistrysecret
          tolerations:
          - operator: Exists
          volumes:
          - name: host-etc
            hostPath:
              path: /etc
          - name: host-log
            hostPath:
              path: /var/log
          - name: host-systemd
            hostPath:
              path: /run/systemd
          - name: host-sys
            hostPath:
               path: /sys
    EOF

If you now deploy Guardium Insights in a cluster with the norootsquash daemonset, it will have a proper uid and gid, similar to this: