Persistent Storage Using Azure File

Overview

OKD supports Microsoft Azure File volumes. You can provision your OKD cluster with persistent storage using Azure. Some familiarity with Kubernetes and Azure is assumed.

High availability of storage in the infrastructure is left to the underlying storage provider.

Before you begin

  1. Install samba-client, samba-common, and cifs-utils on all nodes:

    1. $ sudo yum install samba-client samba-common cifs-utils

  2. Enable SELinux booleans on all nodes:

    1. $ /usr/sbin/setsebool -P virt_use_samba on
    2. $ /usr/sbin/setsebool -P virt_sandbox_use_samba on

  3. Run the mount command to check dir_mode and file_mode permissions, for example:

    1. $ mount

If the dir_mode and file_mode permissions are set to 0755, change the default value 0755 to 0777 or 0775. This manual step is required because the default dir_mode and file_mode permissions changed from 0777 to 0755 in OKD 3.9. The following examples show configuration files with the changed values.

Considerations when using Azure File

The following file system features are not supported by Azure File:

  • Symlinks

  • Hard links

  • Extended attributes

  • Sparse files

  • Named pipes

Additionally, the owner user identifier (UID) of the Azure File mounted directory is different from the process UID of the container.

You might experience instability in your environment if you use any container images that use unsupported file system features. Containers for PostgreSQL and MySQL are known to have issues when used with Azure File.

Workaround for using MySQL with Azure File

If you use MySQL containers, you must modify the PV configuration as a workaround to a file ownership mismatch between the mounted directory UID and the container process UID. Make the following changes to your PV configuration file:

  1. Specify the Azure File mounted directory UID in the runAsUser variable in the PV configuration file:

    1. spec:
    2.   containers:
    3.     ...
    4.   securityContext:
    5.     runAsUser: <mounted_dir_uid>

  2. Specify the container process UID under mountOptions in the PV configuration file:

    1. mountOptions:
    2.   - dir_mode=0700
    3.   - file_mode=0600
    4.   - uid=<container_process_uid>
    5.   - gid=0

Example configuration files

The following example configuration file displays a PV configuration using Azure File:

PV configuration file example

  1. apiVersion: "v1"
  2. kind: "PersistentVolume"
  3. metadata:
  4.   name: "azpv"
  5. spec:
  6.   capacity:
  7.     storage: "1Gi"
  8.   accessModes:
  9.     - "ReadWriteMany"
  10.   azureFile:
  11.     secretName: azure-secret
  12.     shareName: azftest
  13.     readOnly: false
  14.   mountOptions:
  15.     - dir_mode=0777
  16.     - file_mode=0777

The following example configuration file displays a storage class using Azure File:

Storage class configuration file example

  1. kind: StorageClass
  2. apiVersion: storage.k8s.io/v1
  3. metadata:
  4.   name: azurefile
  5. provisioner: kubernetes.io/azure-file
  6. mountOptions:
  7.   - dir_mode=0777
  8.   - file_mode=0777
  9. parameters:
  10.   storageAccount: ocp39str
  11.   location: centralus

Configuring Azure File for regional cloud

While Azure Disk is compatible with multiple regional clouds, Azure File supports only the Azure public cloud, because the endpoint is hard-coded.

Creating the Azure Storage Account secret

Define the Azure Storage Account name and key in a secret configuration, which is then converted to base64 for use by OKD.

  1. Obtain an Azure Storage Account name and key and encode to base64:

    1. apiVersion: v1
    2. kind: Secret
    3. metadata:
    4.   name: azure-secret
    5. type: Opaque
    6. data:
    7.   azurestorageaccountname: azhzdGVzdA==
    8.   azurestorageaccountkey: eElGMXpKYm5ub2pGTE1Ta0JwNTBteDAyckhzTUsyc2pVN21GdDRMMTNob0I3ZHJBYUo4akQ2K0E0NDNqSm9nVjd5MkZVT2hRQ1dQbU02WWFOSHk3cWc9PQ==

  2. Save the secret definition to a file, for example azure-secret.yaml, then create the secret:

    1. $ oc create -f azure-secret.yaml

  3. Verify that the secret was created:

    1. $ oc get secret azure-secret
    2. NAME          TYPE      DATA      AGE
    3. azure-secret   Opaque    1         23d

  4. Define the PV in an object definition before creating it in OKD:

    PV object definition using Azure File example

    1. apiVersion: "v1"
    2. kind: "PersistentVolume"
    3. metadata:
    4.   name: "pv0001" (1)
    5. spec:
    6.   capacity:
    7.     storage: "5Gi" (2)
    8.   accessModes:
    9.     - "ReadWriteMany"
    10.   azureFile: (3)
    11.     secretName: azure-secret (4)
    12.     shareName: example (5)
    13.     readOnly: false (6)
    1The name of the volume. This is how it is identified via PV claims or from pods.
    2The amount of storage allocated to this volume.
    3This defines the volume type being used: azureFile plug-in.
    4The name of the secret used.
    5The name of the file share.
    6Defaults to false (read/write). ReadOnly here forces the ReadOnly setting in VolumeMounts.

  5. Save your definition to a file, for example azure-file-pv.yaml, and create the PV:

    1. $ oc create -f azure-file-pv.yaml
    2. persistentvolume "pv0001" created

  6. Verify that the PV was created:

    1. $ oc get pv
    2. NAME      LABELS    CAPACITY   ACCESSMODES   STATUS      CLAIM     REASON    AGE
    3. pv0001    <none>    5Gi        RWM           Available                       2s

You can now request storage using PV claims, which can now use your new PV.

PV claims only exist in the user’s namespace and can only be referenced by a pod within that same namespace. Any attempt to access a PV from a different namespace causes the pod to fail.