无法在 Google Cloud Composer 上安装新的 pipy 包
Can't install new pipy packages on Google Cloud Composer
我们正在使用 Google 版本为 composer-1.8.0-airflow-1.10.3 的 Cloud Composer 在 GCP 上安排我们的管道。
最近,当我们需要向环境中添加一些新的 Python 包时(无论是使用 Terraform 还是 Cloud Console),我们不断收到一条奇怪的错误消息,但 Cloud Composer 仍在运行并且未安装新包.
Cloud Composer UI 上出现的错误消息:
Resource not found (resource=europe-west1-xxxxxxxxxxxxxxxxxxxx-composer-backend-sub-3fb66162-3xxxd-4f43-ba47-xxxxxx)., Http error status code: 400 Http error message: BAD REQUEST Additional errors: {"originalResponse":"{\"paths\":[\"/apis\",\"/apis/\",\"/apis/apiextensions.k8s.io\",\"/apis/apiextensions.k8s.io/v1beta1\",\"/healthz\",\"/healthz/etcd\",\"/healthz/log\",\"/healthz/ping\",\"/healthz/poststarthook/crd-informer-synced\",\"/healthz/poststarthook/generic-apiserver-start-informers\",\"/healthz/poststarthook/start-apiextensions-controllers\",\"/healthz/poststarthook/start-apiextensions-informers\",\"/metrics\",\"/openapi/v2\",\"/version\"]}","reason":"The descriptor url 'https://35.187.59.32/swaggerapi/apis/batch/v1' for type provider 'europe-west1-xxxxxxxxxxxxxxxxxxxx-addons-job-typer' could not be fetched."} , Http error status code: 400 Http error message: BAD REQUEST Additional errors: {"ResourceType":"gcp-types/storage-v1:storage.objects.list","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"xxxxxxxx@cloudservices.gserviceaccount.com does not have storage.objects.list access to composer-unlistable.","reason":"forbidden"}],"message":"xxxxxxxx@cloudservices.gserviceaccount.com does not have storage.objects.list access to composer-unlistable.","statusMessage":"Forbidden","requestPath":"https://www.googleapis.com/storage/v1/b/composer-unlistable/o","httpMethod":"GET","suggestion":"Consider granting permissions to xxxxxxxx@cloudservices.gserviceaccount.com"}}
查看 Stackdriver 日志记录 时,我们可以找到与该环境更新相关的错误消息:
status: {
code: 9
message: "FAILED_PRECONDITION"
}
知道导致此行为的原因以及解决方法吗?
编辑:
请注意,xxxxxxxx@cloudservices.gserviceaccount.com 是 Google 用于内部通信的服务帐户,无法在 IAM 页面上管理(请参阅 Service Account Documentation)。
此外,我们注意到有时添加新包可以正常工作。但是下次我们尝试添加另一个包时,它会失败并显示与上述相同的错误消息。
看起来服务 xxxxxxxx@cloudservices.gserviceaccount.com 帐户没有正确的权限。在 IAM 部分中,将 'Storage Object Viewer' 角色添加到此服务帐户。
通过手动将 Composer 环境 (composer-1.8.2-airflow-1.10.3) 的 GKE 集群升级到 1.14.8-gke.12,我能够重现此错误:
如documentation, Composer environments not using private IP should not upgrade GKE to 1.14+. These versions have deprecated Swagger in favor of OpenAPI所述。未来的 Cloud Composer 版本将创建使用 OpenAPI 的集群,并将支持将现有环境升级到 GKE 1.14 版及更高版本。
目前,OpenAPI 仅用于私有 IP 环境,因此不存在任何问题。
很遗憾,无法降级您的 GKE 集群,因此唯一的解决方案是删除并重新创建您的环境。
我们正在使用 Google 版本为 composer-1.8.0-airflow-1.10.3 的 Cloud Composer 在 GCP 上安排我们的管道。
最近,当我们需要向环境中添加一些新的 Python 包时(无论是使用 Terraform 还是 Cloud Console),我们不断收到一条奇怪的错误消息,但 Cloud Composer 仍在运行并且未安装新包.
Cloud Composer UI 上出现的错误消息:
Resource not found (resource=europe-west1-xxxxxxxxxxxxxxxxxxxx-composer-backend-sub-3fb66162-3xxxd-4f43-ba47-xxxxxx)., Http error status code: 400 Http error message: BAD REQUEST Additional errors: {"originalResponse":"{\"paths\":[\"/apis\",\"/apis/\",\"/apis/apiextensions.k8s.io\",\"/apis/apiextensions.k8s.io/v1beta1\",\"/healthz\",\"/healthz/etcd\",\"/healthz/log\",\"/healthz/ping\",\"/healthz/poststarthook/crd-informer-synced\",\"/healthz/poststarthook/generic-apiserver-start-informers\",\"/healthz/poststarthook/start-apiextensions-controllers\",\"/healthz/poststarthook/start-apiextensions-informers\",\"/metrics\",\"/openapi/v2\",\"/version\"]}","reason":"The descriptor url 'https://35.187.59.32/swaggerapi/apis/batch/v1' for type provider 'europe-west1-xxxxxxxxxxxxxxxxxxxx-addons-job-typer' could not be fetched."} , Http error status code: 400 Http error message: BAD REQUEST Additional errors: {"ResourceType":"gcp-types/storage-v1:storage.objects.list","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"xxxxxxxx@cloudservices.gserviceaccount.com does not have storage.objects.list access to composer-unlistable.","reason":"forbidden"}],"message":"xxxxxxxx@cloudservices.gserviceaccount.com does not have storage.objects.list access to composer-unlistable.","statusMessage":"Forbidden","requestPath":"https://www.googleapis.com/storage/v1/b/composer-unlistable/o","httpMethod":"GET","suggestion":"Consider granting permissions to xxxxxxxx@cloudservices.gserviceaccount.com"}}
查看 Stackdriver 日志记录 时,我们可以找到与该环境更新相关的错误消息:
status: { code: 9
message: "FAILED_PRECONDITION"
}
知道导致此行为的原因以及解决方法吗?
编辑:
请注意,xxxxxxxx@cloudservices.gserviceaccount.com 是 Google 用于内部通信的服务帐户,无法在 IAM 页面上管理(请参阅 Service Account Documentation)。
此外,我们注意到有时添加新包可以正常工作。但是下次我们尝试添加另一个包时,它会失败并显示与上述相同的错误消息。
看起来服务 xxxxxxxx@cloudservices.gserviceaccount.com 帐户没有正确的权限。在 IAM 部分中,将 'Storage Object Viewer' 角色添加到此服务帐户。
通过手动将 Composer 环境 (composer-1.8.2-airflow-1.10.3) 的 GKE 集群升级到 1.14.8-gke.12,我能够重现此错误:
如documentation, Composer environments not using private IP should not upgrade GKE to 1.14+. These versions have deprecated Swagger in favor of OpenAPI所述。未来的 Cloud Composer 版本将创建使用 OpenAPI 的集群,并将支持将现有环境升级到 GKE 1.14 版及更高版本。
目前,OpenAPI 仅用于私有 IP 环境,因此不存在任何问题。
很遗憾,无法降级您的 GKE 集群,因此唯一的解决方案是删除并重新创建您的环境。