Nifi ListS3 issue
Hi Apache Nifi team, I have a ListS3 processor that works perfectly well on DEV and QA Nifi cluster but fails in UAT with error: "A HostProvider may not be empty". The processor configuration is identical between environments. Interesting point is that it does PutS3 correctly in UAT, but fails to Lists3. The ListS3 was configured to run on primary node only. Do you have any suggestions what could be the cause for this error? [cid:image003.png@01D874EA.740F03E0] Thank you Natalia Fill Analyst Software Developer Legal and General Investment Management, One Coleman Street, London, EC2R 5AA natalia.f...@lgim.com This e-mail (and any attachments) may contain privileged and/or confidential information which may be protected by copyright or other intellectual property rights. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this e-mail in error please reply to the sender and then immediately delete it (including, any attachments). Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems or that any e-mail will be virus free. Any information contained in this e-mail may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom or the Republic of Ireland. Telephone conversations and calls via other telecommunication facilities may be recorded, including to comply with our legal and/or regulatory requirements and/or to monitor the quality of our service. For information about how we use your personal data, including your legal rights, please refer to our privacy policy at: www.legalandgeneral.com/institutional/privacy-policy/. Legal & General Investment Management Limited (Company number 02091894), LGIM Real Assets (Operator) Limited (Company number 05522016), LGIM International Limited (Company number 07716001), Legal & General (Unit Trust Managers) Limited (Company number 01009418), GO ETF Solutions LLP (Company number OC329482) and LGIM Corporate Director Limited (Company number 07105051) are each authorised and regulated by the Financial Conduct Authority. All are registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA. Legal and General Assurance (Pensions Management) Limited (Company number 01006112) is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA. Legal & General Property Limited (Registration number 02091897) is authorised and regulated by the Financial Conduct Authority for insurance mediation activities. It is registered in England & Wales with a registered office at One Coleman Street, London, EC2R 5AA. LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank of Ireland (Reference No C173733). It is registered in the Republic of Ireland (Number 609677) with its principal business address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09. The ultimate parent company is Legal & General Group PLC (Company number 01417162) which is registered in England & Wales and has a registered office at One Coleman Street, London, EC2R 5AA. This email has come from the internet and has been scanned for all viruses and potentially offensive content by Messagelabs on behalf of Legal & General
RE: [EXTERNAL] Re: Nifi putting object to S3 directory
Hi Nifi Team,
Following from tests below I need to retrieve files from specific directories
on S3. The files are placed into dir/subdir/.
I tried various expression to specify 'filename' variable that feeds to
FetchS3Object and still get error that the key doesn't exist.
I am not sure if FetchS3Object doesn't like my directories pattern or the file
name. If I don't specify any pattern and just fetch what was listed, it works
fine.
The flow goes as follows: ListS3 (lists all the files as expected) -
UpdateAttribute (updates filename with the pattern to use) - FetchS3Object -
LogAttribute on success and on failure.
Some of my tries for filename pattern below:
*( dir/subdir/test_put_\d*_\d*\.txt).*
*( test_put_\d*_\d*\.txt).*
dir/subdir /test_put_\d*_\d*\.txt
dir/subdir /test_put_${now():format('-MM-dd')}_*
/dir/subdir /test_put_${now():format('-MM-dd')}_*
List of files on s3 server is like below:
2022-05-16 13:36:03 14 test_put_20220516_013601.txt
2022-05-16 13:36:04 14 test_put_20220516_013602.txt
Can anyone suggest how do I retrieve files in dir/subdir that start with a
particular string (e.g. test_put_) contain today's date and end with sequence
of numbers.
Thanks
Natalia
.
-Original Message-
From: Fill, Natalia
Sent: 16 May 2022 13:15
To: dev@nifi.apache.org
Subject: RE: [EXTERNAL] Re: Nifi putting object to S3 directory
Thanks Peter, removing leading slash worked and now Nifi puts file into
specified subdirectory.
This is a simple test flow to test read/write to s3: GenerateFlowFile - on
success - UpdateAttribute (filename to meaningful name) - on success -
PutS3Object - on success and on failure LogAttribute
Regards
Natalia
-Original Message-
From: Peter Turcsanyi
Sent: 16 May 2022 12:41
To: dev@nifi.apache.org
Subject: [EXTERNAL] Re: Nifi putting object to S3 directory
CAUTION: This email originated from outside of the organisation. Do not click
links or open attachments unless you recognise the sender and know the content
is safe.
Hi Natalia,
Is the FlowFile transferred to the success or the failure relationship from
PutS3Object?
In general, you need to use dirtag/subdirtag /${filename}, so no leading slash.
Leading slash results in a directory called '/' on S3.
Regards,
Peter Turcsanyi
On Mon, May 16, 2022 at 12:46 PM Fill, Natalia
wrote:
> Hi Nifi Team,
>
> I am working on a solution to put file into S3 server. I used
> PutS3Object and managed to put some files into a bucket, but it failed
> to put files into specific directories on S3. No errors, but I don't
> see the files in the bucket. I used the following format for object key:
> /dirtag/subdirtag /${filename}. The tags do exist on S3.
>
> Does anyone have any suggestions how to put S3 object into specific
> directory and not just on top level in a bucket.
>
> Thanks
> Natalia
> This e-mail (and any attachments) may contain privileged and/or
> confidential information which may be protected by copyright or other
> intellectual property rights. If you are not the intended recipient
> please do not disclose, copy, distribute, disseminate or take any
> action in reliance on it. If you have received this e-mail in error
> please reply to the sender and then immediately delete it (including, any
> attachments).
> Should you wish to communicate with us by e-mail we cannot guarantee
> the security of any data outside our own computer systems or that any
> e-mail will be virus free.
>
> Any information contained in this e-mail may be subject to applicable
> terms and conditions and must not be construed as giving investment
> advice within or outside the United Kingdom or the Republic of Ireland.
>
> Telephone conversations and calls via other telecommunication
> facilities may be recorded, including to comply with our legal and/or
> regulatory requirements and/or to monitor the quality of our service.
> For information about how we use your personal data, including your
> legal rights, please refer to our privacy policy at:
> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2Fdata=05%7C01%7CNatalia.Fill%40lgim.com%7C6ac22dcdbd82472c4c5508da37310939%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C0%7C637882980987854174%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=fRb3k0FqLCtu6JlV1B77Sq1PCeQ7rOEUC8%2B5KtxkEN4%3Dreserved=0.
>
> Legal & General Investment Management Limited (Company number
> 02091894), LGIM Real Assets (Operator) Limited (Company number
> 05522016), LGIM International Limited (Company number 07716001), Legal
> & General (Unit Trust Managers) Limited (Company number 01009418), GO
> ETF Solutions LLP (Company number OC329482) and LGIM Corporate
> Director Limited (Company number 07105051) are each aut
RE: [EXTERNAL] Re: Nifi putting object to S3 directory
Thanks Peter, removing leading slash worked and now Nifi puts file into
specified subdirectory.
This is a simple test flow to test read/write to s3: GenerateFlowFile - on
success - UpdateAttribute (filename to meaningful name) - on success -
PutS3Object - on success and on failure LogAttribute
Regards
Natalia
-Original Message-
From: Peter Turcsanyi
Sent: 16 May 2022 12:41
To: dev@nifi.apache.org
Subject: [EXTERNAL] Re: Nifi putting object to S3 directory
CAUTION: This email originated from outside of the organisation. Do not click
links or open attachments unless you recognise the sender and know the content
is safe.
Hi Natalia,
Is the FlowFile transferred to the success or the failure relationship from
PutS3Object?
In general, you need to use dirtag/subdirtag /${filename}, so no leading slash.
Leading slash results in a directory called '/' on S3.
Regards,
Peter Turcsanyi
On Mon, May 16, 2022 at 12:46 PM Fill, Natalia
wrote:
> Hi Nifi Team,
>
> I am working on a solution to put file into S3 server. I used
> PutS3Object and managed to put some files into a bucket, but it failed
> to put files into specific directories on S3. No errors, but I don't
> see the files in the bucket. I used the following format for object key:
> /dirtag/subdirtag /${filename}. The tags do exist on S3.
>
> Does anyone have any suggestions how to put S3 object into specific
> directory and not just on top level in a bucket.
>
> Thanks
> Natalia
> This e-mail (and any attachments) may contain privileged and/or
> confidential information which may be protected by copyright or other
> intellectual property rights. If you are not the intended recipient
> please do not disclose, copy, distribute, disseminate or take any
> action in reliance on it. If you have received this e-mail in error
> please reply to the sender and then immediately delete it (including, any
> attachments).
> Should you wish to communicate with us by e-mail we cannot guarantee
> the security of any data outside our own computer systems or that any
> e-mail will be virus free.
>
> Any information contained in this e-mail may be subject to applicable
> terms and conditions and must not be construed as giving investment
> advice within or outside the United Kingdom or the Republic of Ireland.
>
> Telephone conversations and calls via other telecommunication
> facilities may be recorded, including to comply with our legal and/or
> regulatory requirements and/or to monitor the quality of our service.
> For information about how we use your personal data, including your
> legal rights, please refer to our privacy policy at:
> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.legalandgeneral.com%2Finstitutional%2Fprivacy-policy%2Fdata=05%7C01%7CNatalia.Fill%40lgim.com%7C6ac22dcdbd82472c4c5508da37310939%7Cd246baabcc004ed2bc4ef8a46cbc590d%7C0%7C0%7C637882980987854174%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=fRb3k0FqLCtu6JlV1B77Sq1PCeQ7rOEUC8%2B5KtxkEN4%3Dreserved=0.
>
> Legal & General Investment Management Limited (Company number
> 02091894), LGIM Real Assets (Operator) Limited (Company number
> 05522016), LGIM International Limited (Company number 07716001), Legal
> & General (Unit Trust Managers) Limited (Company number 01009418), GO
> ETF Solutions LLP (Company number OC329482) and LGIM Corporate
> Director Limited (Company number 07105051) are each authorised and
> regulated by the Financial Conduct Authority. All are registered in
> England & Wales with a registered office at One Coleman Street, London, EC2R
> 5AA.
>
> Legal and General Assurance (Pensions Management) Limited (Company
> number
> 01006112) is authorised by the Prudential Regulation Authority and
> regulated by the Financial Conduct Authority and the Prudential
> Regulation Authority. It is registered in England & Wales with a
> registered office at One Coleman Street, London, EC2R 5AA.
>
> Legal & General Property Limited (Registration number 02091897) is
> authorised and regulated by the Financial Conduct Authority for
> insurance mediation activities. It is registered in England & Wales
> with a registered office at One Coleman Street, London, EC2R 5AA.
>
> LGIM Managers (Europe) Limited is authorised and regulated by the
> Central Bank of Ireland (Reference No C173733). It is registered in
> the Republic of Ireland (Number 609677) with its principal business
> address at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
>
> The ultimate parent company is Legal & General Group PLC (Company
> number
> 01417162) which is registered in England & Wales and has a registered
> office at One Coleman Street, London, EC2R 5AA.
>
> ___
Nifi putting object to S3 directory
Hi Nifi Team,
I am working on a solution to put file into S3 server. I used PutS3Object and
managed to put some files into a bucket, but it failed to put files into
specific directories on S3. No errors, but I don't see the files in the bucket.
I used the following format for object key:
/dirtag/subdirtag /${filename}. The tags do exist on S3.
Does anyone have any suggestions how to put S3 object into specific directory
and not just on top level in a bucket.
Thanks
Natalia
This e-mail (and any attachments) may contain privileged and/or confidential
information which may be protected by copyright or other intellectual property
rights. If you are not the intended recipient please do not disclose, copy,
distribute, disseminate or take any action in reliance on it. If you have
received this e-mail in error please reply to the sender and then immediately
delete it (including, any attachments). Should you wish to communicate with us
by e-mail we cannot guarantee the security of any data outside our own computer
systems or that any e-mail will be virus free.
Any information contained in this e-mail may be subject to applicable terms and
conditions and must not be construed as giving investment advice within or
outside the United Kingdom or the Republic of Ireland.
Telephone conversations and calls via other telecommunication facilities may be
recorded, including to comply with our legal and/or regulatory requirements
and/or to monitor the quality of our service. For information about how we use
your personal data, including your legal rights, please refer to our privacy
policy at: www.legalandgeneral.com/institutional/privacy-policy/.
Legal & General Investment Management Limited (Company number 02091894), LGIM
Real Assets (Operator) Limited (Company number 05522016), LGIM International
Limited (Company number 07716001), Legal & General (Unit Trust Managers)
Limited (Company number 01009418), GO ETF Solutions LLP (Company number
OC329482) and LGIM Corporate Director Limited (Company number 07105051) are
each authorised and regulated by the Financial Conduct Authority. All are
registered in England & Wales with a registered office at One Coleman Street,
London, EC2R 5AA.
Legal and General Assurance (Pensions Management) Limited (Company number
01006112) is authorised by the Prudential Regulation Authority and regulated by
the Financial Conduct Authority and the Prudential Regulation Authority. It is
registered in England & Wales with a registered office at One Coleman Street,
London, EC2R 5AA.
Legal & General Property Limited (Registration number 02091897) is authorised
and regulated by the Financial Conduct Authority for insurance mediation
activities. It is registered in England & Wales with a registered office at One
Coleman Street, London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank
of Ireland (Reference No C173733). It is registered in the Republic of Ireland
(Number 609677) with its principal business address at 33/34 Sir John
Rogerson's Quay, Dublin 2, D02 XK09.
The ultimate parent company is Legal & General Group PLC (Company number
01417162) which is registered in England & Wales and has a registered office at
One Coleman Street, London, EC2R 5AA.
This email has come from the internet and has been scanned for all viruses
and potentially offensive content by Messagelabs on behalf of Legal & General
RE: Running Nifi on OpenShift
value: ${NIFI_JAVA_XMX}
- name: "NIFI_TIMEZONE"
value: ${NIFI_TIMEZONE}
image:
${DOCKER_PARENT_REGISTRY}/${DOCKER_TEAM_NAMESPACE}/platform-nifi:latest
imagePullPolicy: Always
name: ${APPLICATION_NAME}
ports:
- name: http
containerPort: 8080
protocol: TCP
resources:
limits:
cpu: ${CPU_LIMIT}
memory: ${MEMORY_LIMIT}
requests:
cpu: ${CPU_REQUEST}
memory: ${MEMORY_REQUEST}
volumeMounts:
- mountPath: "/opt/nifi/nifi-current/conf"
name: nificonf-mount
securityContext:
supplementalGroups:
- ${SUPPLEMENTAL_GROUP}
serviceAccount: apache-nifi
serviceAccountName: apache-nifi
terminationGracePeriodSeconds: 30
volumes:
- name: nificonf-mount
persistentVolumeClaim:
claimName: nificonf-claim
triggers: {}
- apiVersion: v1
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: nificonf-claim
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
selector:
matchLabels:
function: ${NAMESPACE}-nificonf
Thanks
Natalia Fill
Analyst Software Developer
-Original Message-
From: Fill, Natalia
Sent: 13 February 2020 16:09
To: dev@nifi.apache.org; Endre Kovacs
Cc: Ali, Rizwan
Subject: RE: Running Nifi on OpenShift
Public
Hi Shawn,
First I tried modifying securityContect first and the familiar error is
appeared. I remember trying to run as user 1000 a few days ago and had error
similar to below. OpenShift has restrictions on this value.
Error creating: pods "nifi-4-" is forbidden: unable to validate against
any security context constraint: [fsGroup: Invalid value: []int64{1000}: 1000
is not an allowed group
spec.containers[0].securityContext.securityContext.runAsUser: Invalid value:
1000: must be in the ranges: [100047, 100047]]
So if Nifi has to run as user 1000 and OpenShift only allows range [100047,
100047] then the issue is not resolvable in the current image.
Let me know if you have other views on it.
Thanks
Natalia Fill
Analyst Software Developer
-Original Message-
From: Fill, Natalia [mailto:natalia.f...@lgim.com]
Sent: 13 February 2020 14:32
To: dev@nifi.apache.org; Endre Kovacs
Cc: Ali, Rizwan
Subject: RE: Running Nifi on OpenShift
Public
Hi Shawn,
Thank you for your message. I will add your suggested configs and try it out
today. It certainly has new content not present in my yml so hopefully it will
resolve the issue.
Thanks
Natalia Fill
Analyst Software Developer
-Original Message-
From: Shawn Weeks [mailto:swe...@weeksconsulting.us]
Sent: 13 February 2020 14:26
To: dev@nifi.apache.org; Endre Kovacs
Cc: Ali, Rizwan
Subject: Re: Running Nifi on OpenShift
Your attachment didn't make it through but here are a couple of things to note.
First of all if you try and put the ./conf directory in a volume you'll have to
run a init container to copy the initial contents to the volume. Kubernetes
unlike Docker does not replicate from the container.
Here is how I did that and I'm generally available on Slack if you want quicker
answers.
initContainers:
- name: init-nifi-conf
image: apache/nifi:latest
volumeMounts:
- mountPath: "/opt/nifi/nifi-current/new-conf"
name: nifi-conf-claim
command:
- sh
- '-c'
- '\cp /opt/nifi/nifi-current/conf/*
/opt/nifi/nifi-current/new-conf/'
The other thing you'll want to include is this to set the user and group id to
1000 which is what the apache image container expects since your not running as
root.
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
Here is my complete yaml.
apiVersion: v1
kind: Service
metadata:
name: nifi-service
namespace: nifi
spec:
clusterIP: None
selector:
app: nifi
ports:
- protocol: TCP
port: 8080
type: ClusterIP
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: nifi-ingress
namespace: nifi
spec:
rules:
- host: nifi.dev.example.com
http:
paths:
- backend:
serviceName: nifi-service
servicePort: 8080
tls:
- hosts:
- nifi.dev.example.com
secretName: nifi-ssl-cert
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: nifi-workload
namespace: nifi
spec:
replicas: 3
podManagementPolicy: Parallel
updateStrategy:
type: RollingUpdate
serviceName: nifi-service
selector:
matchLabels:
app: nifi
template:
metadata:
labels:
app: nifi
spec:
nodeSelector:
node-role.nifi: "true"
securityContext:
runAsUser: 1000
runAsGroup: 1000
RE: Running Nifi on OpenShift
Public
Thanks Jon, I will pass your suggestions to our OpenShift administrator.
Hopefully there is no internal rules that will restrict us implementing it.
Thank you
Natalia Fill
Analyst Software Developer
-Original Message-
From: Jon Logan [mailto:jmlo...@buffalo.edu]
Sent: 13 February 2020 16:50
To: dev@nifi.apache.org
Cc: Ali, Rizwan; Endre Kovacs
Subject: Re: Running Nifi on OpenShift
I think this describes what you would need to do.
https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html
On Thu, Feb 13, 2020 at 11:38 AM Jon Logan wrote:
> That's a OpenShift security feature so that your user IDs are more
> unique, and have less access between containers. I would suggest
> trying to alter your range of user IDs on your cluster if you don't
> want to modify the image.
>
> On Thu, Feb 13, 2020 at 11:09 AM Fill, Natalia
> wrote:
>
>> Public
>>
>> Hi Shawn,
>> First I tried modifying securityContect first and the familiar error
>> is appeared. I remember trying to run as user 1000 a few days ago and
>> had error similar to below. OpenShift has restrictions on this value.
>>
>> Error creating: pods "nifi-4-" is forbidden: unable to
>> validate against any security context constraint: [fsGroup: Invalid value:
>> []int64{1000}: 1000 is not an allowed group
>> spec.containers[0].securityContext.securityContext.runAsUser: Invalid
>> value: 1000: must be in the ranges: [100047, 100047]]
>>
>> So if Nifi has to run as user 1000 and OpenShift only allows range
>> [100047, 100047] then the issue is not resolvable in the
>> current image.
>> Let me know if you have other views on it.
>>
>> Thanks
>>
>> Natalia Fill
>> Analyst Software Developer
>>
>> -Original Message-
>> From: Fill, Natalia [mailto:natalia.f...@lgim.com]
>> Sent: 13 February 2020 14:32
>> To: dev@nifi.apache.org; Endre Kovacs
>> Cc: Ali, Rizwan
>> Subject: RE: Running Nifi on OpenShift
>>
>> Public
>>
>> Hi Shawn,
>>
>> Thank you for your message. I will add your suggested configs and try
>> it out today. It certainly has new content not present in my yml so
>> hopefully it will resolve the issue.
>>
>> Thanks
>>
>> Natalia Fill
>> Analyst Software Developer
>>
>> -Original Message-
>> From: Shawn Weeks [mailto:swe...@weeksconsulting.us]
>> Sent: 13 February 2020 14:26
>> To: dev@nifi.apache.org; Endre Kovacs
>> Cc: Ali, Rizwan
>> Subject: Re: Running Nifi on OpenShift
>>
>> Your attachment didn't make it through but here are a couple of
>> things to note. First of all if you try and put the ./conf directory
>> in a volume you'll have to run a init container to copy the initial
>> contents to the volume. Kubernetes unlike Docker does not replicate from the
>> container.
>>
>> Here is how I did that and I'm generally available on Slack if you
>> want quicker answers.
>>
>> initContainers:
>> - name: init-nifi-conf
>> image: apache/nifi:latest
>> volumeMounts:
>> - mountPath: "/opt/nifi/nifi-current/new-conf"
>> name: nifi-conf-claim
>> command:
>> - sh
>> - '-c'
>> - '\cp /opt/nifi/nifi-current/conf/*
>> /opt/nifi/nifi-current/new-conf/'
>>
>> The other thing you'll want to include is this to set the user and
>> group id to 1000 which is what the apache image container expects
>> since your not running as root.
>>
>> securityContext:
>> runAsUser: 1000
>> runAsGroup: 1000
>> fsGroup: 1000
>>
>> Here is my complete yaml.
>>
>> apiVersion: v1
>> kind: Service
>> metadata:
>> name: nifi-service
>> namespace: nifi
>> spec:
>> clusterIP: None
>> selector:
>> app: nifi
>> ports:
>> - protocol: TCP
>> port: 8080
>> type: ClusterIP
>> ---
>> apiVersion: networking.k8s.io/v1beta1
>> kind: Ingress
>> metadata:
>> name: nifi-ingress
>> namespace: nifi
>> spec:
>> rules:
>> - host: nifi.dev.example.com
>> http:
>> paths:
>> - backend:
>> serviceName: nifi-service
>> servicePort: 8080
>> tls:
>> - hosts:
>> - nifi.dev.example.com
>> secretName: nifi-ssl-cert
>> ---
>> apiVersion: ap
RE: Running Nifi on OpenShift
Public
Hi Shawn,
First I tried modifying securityContect first and the familiar error is
appeared. I remember trying to run as user 1000 a few days ago and had error
similar to below. OpenShift has restrictions on this value.
Error creating: pods "nifi-4-" is forbidden: unable to validate against
any security context constraint: [fsGroup: Invalid value: []int64{1000}: 1000
is not an allowed group
spec.containers[0].securityContext.securityContext.runAsUser: Invalid value:
1000: must be in the ranges: [100047, 100047]]
So if Nifi has to run as user 1000 and OpenShift only allows range [100047,
100047] then the issue is not resolvable in the current image.
Let me know if you have other views on it.
Thanks
Natalia Fill
Analyst Software Developer
-Original Message-----
From: Fill, Natalia [mailto:natalia.f...@lgim.com]
Sent: 13 February 2020 14:32
To: dev@nifi.apache.org; Endre Kovacs
Cc: Ali, Rizwan
Subject: RE: Running Nifi on OpenShift
Public
Hi Shawn,
Thank you for your message. I will add your suggested configs and try it out
today. It certainly has new content not present in my yml so hopefully it will
resolve the issue.
Thanks
Natalia Fill
Analyst Software Developer
-Original Message-
From: Shawn Weeks [mailto:swe...@weeksconsulting.us]
Sent: 13 February 2020 14:26
To: dev@nifi.apache.org; Endre Kovacs
Cc: Ali, Rizwan
Subject: Re: Running Nifi on OpenShift
Your attachment didn't make it through but here are a couple of things to note.
First of all if you try and put the ./conf directory in a volume you'll have to
run a init container to copy the initial contents to the volume. Kubernetes
unlike Docker does not replicate from the container.
Here is how I did that and I'm generally available on Slack if you want quicker
answers.
initContainers:
- name: init-nifi-conf
image: apache/nifi:latest
volumeMounts:
- mountPath: "/opt/nifi/nifi-current/new-conf"
name: nifi-conf-claim
command:
- sh
- '-c'
- '\cp /opt/nifi/nifi-current/conf/*
/opt/nifi/nifi-current/new-conf/'
The other thing you'll want to include is this to set the user and group id to
1000 which is what the apache image container expects since your not running as
root.
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
Here is my complete yaml.
apiVersion: v1
kind: Service
metadata:
name: nifi-service
namespace: nifi
spec:
clusterIP: None
selector:
app: nifi
ports:
- protocol: TCP
port: 8080
type: ClusterIP
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: nifi-ingress
namespace: nifi
spec:
rules:
- host: nifi.dev.example.com
http:
paths:
- backend:
serviceName: nifi-service
servicePort: 8080
tls:
- hosts:
- nifi.dev.example.com
secretName: nifi-ssl-cert
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: nifi-workload
namespace: nifi
spec:
replicas: 3
podManagementPolicy: Parallel
updateStrategy:
type: RollingUpdate
serviceName: nifi-service
selector:
matchLabels:
app: nifi
template:
metadata:
labels:
app: nifi
spec:
nodeSelector:
node-role.nifi: "true"
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
initContainers:
- name: init-nifi-conf
image: apache/nifi:latest
volumeMounts:
- mountPath: "/opt/nifi/nifi-current/new-conf"
name: nifi-conf-claim
command:
- sh
- '-c'
- '\cp /opt/nifi/nifi-current/conf/*
/opt/nifi/nifi-current/new-conf/'
containers:
- image: apache/nifi:latest
imagePullPolicy: Always
name: nifi
ports:
- containerPort: 8080
- containerPort: 1
volumeMounts:
- mountPath: "/opt/nifi/nifi-current/conf"
name: nifi-conf-claim
- mountPath: "/opt/nifi/nifi-current/database_repository"
name: nifi-db-claim
- mountPath: "/opt/nifi/nifi-current/flowfile_repository"
name: nifi-flow-claim
- mountPath: "/opt/nifi/nifi-current/content_repository"
name: nifi-content-claim
- mountPath: "/opt/nifi/nifi-current/provenance_repository"
name: nifi-prov-claim
- mountPath: "/opt/nifi/nifi-current/state"
name: nifi-state-claim
- mountPath: "/opt/nifi/nifi-current/logs"
name: nifi-logs-claim
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
RE: Running Nifi on OpenShift
adata:
name: nifi-conf-claim
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
- metadata:
name: nifi-db-claim
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
- metadata:
name: nifi-flow-claim
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
- metadata:
name: nifi-content-claim
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
- metadata:
name: nifi-prov-claim
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
- metadata:
name: nifi-state-claim
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
- metadata:
name: nifi-logs-claim
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
On 2/13/20, 3:50 AM, "Fill, Natalia" wrote:
Public
Hi Shawn,
We have internal Jenkins deployment process, which eventually comes down to
running yml configs on OpenShift.
I attached two yml files. One version with storage mounted and one without.
The one with storage mounted expects nifi properties file, which I think
should come from image. So there is something wrong about this set up. I would
expect it to use default properties and don't which ones to give it. See my
point 4 in original email below.
The one without persistent storage mounted comes up with permission error:
/opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied. See original email
for full story about this.
I had few goes on trying to resolve it as per my original story below.
I have read somewhere that the issue could be due to the fact that Nifi
image tries to run as root but OpenShift doesn't allow it by default. Not sure
if this is still true for the latest 1.11.1 version of docker image.
If you can suggest what is wrong with these yml files or may be some
settings need to change on OpenShift admin side it hopefully will help to
resolve the issue.
Thank you
Natalia Fill
Analyst Software Developer
-Original Message-
From: Shawn Weeks [mailto:swe...@weeksconsulting.us]
Sent: 12 February 2020 21:16
To: dev@nifi.apache.org; Endre Kovacs
Cc: Ali, Rizwan
Subject: Re: Running Nifi on OpenShift
I recognize that running NiFi on Kubernetes isn't quite as easy as starting
it in Docker but it's also not that hard if you've worked with Kubernetes a
bit. More than likely the issue is in your Kubernetes Yaml that you used to
deploy NiFi with. This is separate than nifi.properties and would have been the
config file you used in the command "kubectl apply -f nifi.yaml" or are you
trying to deploy with Helm?
Thanks
Shawn
On 2/12/20, 2:26 PM, "Fill, Natalia" wrote:
Public
Hi Endre,
I certainly agree with the bare metal option. The reason I have a
specific request for OpenShift is the requirement to adhere to organisational
architectural road map.
I cannot agree more that it is not a single person task. I was working
on it for few days with OpenShift administrator (on CC list) helping me out.
Your links certainly give an impression that this task is not for faint
hearted.
Best regards,
Natalia
-Original Message-
From: Endre Kovacs [mailto:andrewsmit...@protonmail.com.INVALID]
Sent: 12 February 2020 19:43
To: dev@nifi.apache.org
Subject: Re: Running Nifi on OpenShift
Hi,
If to make NiFi work on K8S is a beast, then to make it work on
Openshift, is a category-5 Kaiju [1][2].
This is definitely not a few days task for a single person.
Why not run NiFi just in docker (docker-compose)? Or on bare metal?
Best regards,
Endre
[1] https://en.wikipedia.org/wiki/Kaiju
[2] https://en.wikipedia.org/wiki/Pacific_Rim_(film)
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Wednesday, February 12, 2020 8:14 PM, Fill, Natalia
wrote:
> Public
>
> Hi,
> I am trying to run Nifi pod on OpenShift for several days now and
unfortunately unsuccessfully.
>
> The error that I am getting persistently is replacing target file
> /opt/nifi/nifi-current/conf/nifi.pro
RE: Running Nifi on OpenShift
Public
Hi Shawn,
We have internal Jenkins deployment process, which eventually comes down to
running yml configs on OpenShift.
I attached two yml files. One version with storage mounted and one without.
The one with storage mounted expects nifi properties file, which I think should
come from image. So there is something wrong about this set up. I would expect
it to use default properties and don't which ones to give it. See my point 4 in
original email below.
The one without persistent storage mounted comes up with permission error:
/opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied. See original email
for full story about this.
I had few goes on trying to resolve it as per my original story below.
I have read somewhere that the issue could be due to the fact that Nifi image
tries to run as root but OpenShift doesn't allow it by default. Not sure if
this is still true for the latest 1.11.1 version of docker image.
If you can suggest what is wrong with these yml files or may be some settings
need to change on OpenShift admin side it hopefully will help to resolve the
issue.
Thank you
Natalia Fill
Analyst Software Developer
-Original Message-
From: Shawn Weeks [mailto:swe...@weeksconsulting.us]
Sent: 12 February 2020 21:16
To: dev@nifi.apache.org; Endre Kovacs
Cc: Ali, Rizwan
Subject: Re: Running Nifi on OpenShift
I recognize that running NiFi on Kubernetes isn't quite as easy as starting it
in Docker but it's also not that hard if you've worked with Kubernetes a bit.
More than likely the issue is in your Kubernetes Yaml that you used to deploy
NiFi with. This is separate than nifi.properties and would have been the config
file you used in the command "kubectl apply -f nifi.yaml" or are you trying to
deploy with Helm?
Thanks
Shawn
On 2/12/20, 2:26 PM, "Fill, Natalia" wrote:
Public
Hi Endre,
I certainly agree with the bare metal option. The reason I have a specific
request for OpenShift is the requirement to adhere to organisational
architectural road map.
I cannot agree more that it is not a single person task. I was working on
it for few days with OpenShift administrator (on CC list) helping me out.
Your links certainly give an impression that this task is not for faint
hearted.
Best regards,
Natalia
-Original Message-
From: Endre Kovacs [mailto:andrewsmit...@protonmail.com.INVALID]
Sent: 12 February 2020 19:43
To: dev@nifi.apache.org
Subject: Re: Running Nifi on OpenShift
Hi,
If to make NiFi work on K8S is a beast, then to make it work on Openshift,
is a category-5 Kaiju [1][2].
This is definitely not a few days task for a single person.
Why not run NiFi just in docker (docker-compose)? Or on bare metal?
Best regards,
Endre
[1] https://en.wikipedia.org/wiki/Kaiju
[2] https://en.wikipedia.org/wiki/Pacific_Rim_(film)
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Wednesday, February 12, 2020 8:14 PM, Fill, Natalia
wrote:
> Public
>
> Hi,
> I am trying to run Nifi pod on OpenShift for several days now and
unfortunately unsuccessfully.
>
> The error that I am getting persistently is replacing target file
> /opt/nifi/nifi-current/conf/nifi.properties
> sed: couldn't open temporary file
> /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied
>
> I have tried several things to resolve the issue:
> My images are downloaded from https://hub.docker.com/r/apache/nifi
>
> 1.First I run 1.10.0 image which resulted in error above
>
>
>
> 2. Upgraded to 1.11.1 image, the error still persist
>
> 3. Tried wrapping the above images in my own image with following
> modifications to docker file (used various paths to chmod opt/
> opt/nifi), still the same error
>
> FROM xxxRegistry/apache-nifi:1.11.1
> USER root
> RUN chmod -R 777 /opt
> USER 1000
>
> 4. Mounted volume opt/nifi, but this resulted in nifi properties file
> not being found, so removed volume as it overwrites Nifi paths
>
> 5. Involved OpenShift administrators to create privileged account for
> nifi and altered my yml to use that account (SUPPLEMENTAL_GROUP is
> what all our pods run under and sn_nif was created specially to
> resolve this case)
>
> securityContext:
> supplementalGroups:
>
> - ${SUPPLEMENTAL_GROUP}
> serviceAccount: sn-nif
> serviceAccountName: sn-nif
>
>
> 6.Removed securityContext to ensure serviceAccount is used
>
>
>
> Can someone please suggest how to resolve this issue. Otherwise I will
have to g
RE: Running Nifi on OpenShift
Public
Hi Endre,
I certainly agree with the bare metal option. The reason I have a specific
request for OpenShift is the requirement to adhere to organisational
architectural road map.
I cannot agree more that it is not a single person task. I was working on it
for few days with OpenShift administrator (on CC list) helping me out.
Your links certainly give an impression that this task is not for faint hearted.
Best regards,
Natalia
-Original Message-
From: Endre Kovacs [mailto:andrewsmit...@protonmail.com.INVALID]
Sent: 12 February 2020 19:43
To: dev@nifi.apache.org
Subject: Re: Running Nifi on OpenShift
Hi,
If to make NiFi work on K8S is a beast, then to make it work on Openshift, is a
category-5 Kaiju [1][2].
This is definitely not a few days task for a single person.
Why not run NiFi just in docker (docker-compose)? Or on bare metal?
Best regards,
Endre
[1] https://en.wikipedia.org/wiki/Kaiju
[2] https://en.wikipedia.org/wiki/Pacific_Rim_(film)
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Wednesday, February 12, 2020 8:14 PM, Fill, Natalia
wrote:
> Public
>
> Hi,
> I am trying to run Nifi pod on OpenShift for several days now and
> unfortunately unsuccessfully.
>
> The error that I am getting persistently is replacing target file
> /opt/nifi/nifi-current/conf/nifi.properties
> sed: couldn't open temporary file
> /opt/nifi/nifi-current/conf/sedXGg2lo: Permission denied
>
> I have tried several things to resolve the issue:
> My images are downloaded from https://hub.docker.com/r/apache/nifi
>
> 1.First I run 1.10.0 image which resulted in error above
>
>
>
> 2. Upgraded to 1.11.1 image, the error still persist
>
> 3. Tried wrapping the above images in my own image with following
> modifications to docker file (used various paths to chmod opt/
> opt/nifi), still the same error
>
> FROM xxxRegistry/apache-nifi:1.11.1
> USER root
> RUN chmod -R 777 /opt
> USER 1000
>
> 4. Mounted volume opt/nifi, but this resulted in nifi properties file
> not being found, so removed volume as it overwrites Nifi paths
>
> 5. Involved OpenShift administrators to create privileged account for
> nifi and altered my yml to use that account (SUPPLEMENTAL_GROUP is
> what all our pods run under and sn_nif was created specially to
> resolve this case)
>
> securityContext:
> supplementalGroups:
>
> - ${SUPPLEMENTAL_GROUP}
> serviceAccount: sn-nif
> serviceAccountName: sn-nif
>
>
> 6.Removed securityContext to ensure serviceAccount is used
>
>
>
> Can someone please suggest how to resolve this issue. Otherwise I will have
> to give up on Nifi as I don't have any more time on this project to spend on
> Nifi config.
>
> Thank you
>
> Natalia
>
> Natalia Fill
> Analyst Software Developer
> Legal and General Investment Management One Coleman Street, London,
> EC2R 5AA
> 020 3124 3430
> www.lgim.com
> This e-mail (and any attachments) may contain privileged and/or confidential
> information. If you are not the intended recipient please do not disclose,
> copy, distribute, disseminate or take any action in reliance on it. If you
> have received this message in error please reply and tell us and then delete
> it. Should you wish to communicate with us by e-mail we cannot guarantee the
> security of any data outside our own computer systems.
>
> Any information contained in this message may be subject to applicable terms
> and conditions and must not be construed as giving investment advice within
> or outside the United Kingdom or Republic of Ireland.
>
> Telephone Conversations may be recorded for your protection and to
> ensure quality of service
>
> Legal & General Investment Management Limited (no 2091894), LGIM Real
> Assets (Operator) Limited (no 05522016), LGIM (International) Limited
> (no 7716001) Legal & General Unit Trust Managers (no 1009418), GO ETF
> Solutions LLP (OC329482) and LGIM Corporate Director Limited (no
> 7105051) are authorised and regulated by the Financial Conduct
> Authority. All are registered in England & Wales with a registered
> office at One Coleman Street, London, EC2R 5AA
>
> Legal & General Assurance (Pensions Management) Limited (no 1006112) is
> authorised by the Prudential Regulation Authority and regulated by the
> Financial Conduct Authority and the Prudential Regulation Authority. It is
> registered in England & Wales with a registered office at One Coleman Street,
> London, EC2R 5AA.
>
> Legal & General Property Limited (no 2091897) is authorised and regulated by
> the Financial Conduct Authority for insurance mediation activities. It is
> registered in England & Wales with a
RE: Running Nifi on OpenShift
Public
Hi Shawn,
Thank you for your reply. Yes, I did have persistent volume, as per attached
scripts.
I removed all volume configs now because it caused another error:
/opt/nifi/nifi-current/conf/nifi.properties: No such file or directory I didn't
think I need to supply nifi.properties file because I thought it should come
from image by default. If I were to supply these properties, I wouldn't know
what configs it needs there anyway.
We have spent few days trying to resolve this now so any help would be greatly
appreciated.
I also copied Rizwan to this discussion as he was helping me out from linux
admin perspective.
Thanks
Natalia Fill
Analyst Software Developer
-Original Message-
From: Shawn Weeks [mailto:swe...@weeksconsulting.us]
Sent: 12 February 2020 19:32
To: dev@nifi.apache.org
Subject: Re: Running Nifi on OpenShift
That error is caused by incorrect permissions on the volume but I'm not sure
why. Can you share your Kubernetes Yaml file, it will make it easier to track
down the difference? Also what are you using for a persistence volume?
Thanks
Shawn
On 2/12/20, 1:14 PM, "Fill, Natalia" wrote:
Public
Hi,
I am trying to run Nifi pod on OpenShift for several days now and
unfortunately unsuccessfully.
The error that I am getting persistently is
replacing target file /opt/nifi/nifi-current/conf/nifi.properties
sed: couldn't open temporary file /opt/nifi/nifi-current/conf/sedXGg2lo:
Permission denied
I have tried several things to resolve the issue:
My images are downloaded from https://hub.docker.com/r/apache/nifi
1. First I run 1.10.0 image which resulted in error above
2. Upgraded to 1.11.1 image, the error still persist
3. Tried wrapping the above images in my own image with following
modifications to docker file (used various paths to chmod opt/ opt/nifi), still
the same error
FROM xxxRegistry/apache-nifi:1.11.1
USER root
RUN chmod -R 777 /opt
USER 1000
4. Mounted volume opt/nifi, but this resulted in nifi properties file
not being found, so removed volume as it overwrites Nifi paths
5. Involved OpenShift administrators to create privileged account for
nifi and altered my yml to use that account (SUPPLEMENTAL_GROUP is what all our
pods run under and sn_nif was created specially to resolve this case)
securityContext:
supplementalGroups:
- ${SUPPLEMENTAL_GROUP}
serviceAccount: sn-nif
serviceAccountName: sn-nif
6. Removed securityContext to ensure serviceAccount is used
Can someone please suggest how to resolve this issue. Otherwise I will have
to give up on Nifi as I don't have any more time on this project to spend on
Nifi config.
Thank you
Natalia
Natalia Fill
Analyst Software Developer
Legal and General Investment Management
One Coleman Street, London, EC2R 5AA
020 3124 3430
www.lgim.com
This e-mail (and any attachments) may contain privileged and/or
confidential information. If you are not the intended recipient please do not
disclose, copy, distribute, disseminate or take any action in reliance on it.
If you have received this message in error please reply and tell us and then
delete it. Should you wish to communicate with us by e-mail we cannot guarantee
the security of any data outside our own computer systems.
Any information contained in this message may be subject to applicable
terms and conditions and must not be construed as giving investment advice
within or outside the United Kingdom or Republic of Ireland.
Telephone Conversations may be recorded for your protection and to ensure
quality of service
Legal & General Investment Management Limited (no 2091894), LGIM Real
Assets (Operator) Limited (no 05522016), LGIM (International) Limited (no
7716001) Legal & General Unit Trust Managers (no 1009418), GO ETF Solutions LLP
(OC329482) and LGIM Corporate Director Limited (no 7105051) are authorised and
regulated by the Financial Conduct Authority. All are registered in England &
Wales with a registered office at One Coleman Street, London, EC2R 5AA
Legal & General Assurance (Pensions Management) Limited (no 1006112) is
authorised by the Prudential Regulation Authority and regulated by the
Financial Conduct Authority and the Prudential Regulation Authority. It is
registered in England & Wales with a registered office at One Coleman Street,
London, EC2R 5AA.
Legal & General Property Limited (no 2091897) is authorised and regulated
by the Financial Conduct Authority for insurance mediation activities. It is
registered in England & Wales with a registered office at One Coleman Street,
London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central
Bank of Ireland (C173
Running Nifi on OpenShift
Public
Hi,
I am trying to run Nifi pod on OpenShift for several days now and unfortunately
unsuccessfully.
The error that I am getting persistently is
replacing target file /opt/nifi/nifi-current/conf/nifi.properties
sed: couldn't open temporary file /opt/nifi/nifi-current/conf/sedXGg2lo:
Permission denied
I have tried several things to resolve the issue:
My images are downloaded from https://hub.docker.com/r/apache/nifi
1. First I run 1.10.0 image which resulted in error above
2. Upgraded to 1.11.1 image, the error still persist
3. Tried wrapping the above images in my own image with following
modifications to docker file (used various paths to chmod opt/ opt/nifi), still
the same error
FROM xxxRegistry/apache-nifi:1.11.1
USER root
RUN chmod -R 777 /opt
USER 1000
4. Mounted volume opt/nifi, but this resulted in nifi properties file not
being found, so removed volume as it overwrites Nifi paths
5. Involved OpenShift administrators to create privileged account for
nifi and altered my yml to use that account (SUPPLEMENTAL_GROUP is what all our
pods run under and sn_nif was created specially to resolve this case)
securityContext:
supplementalGroups:
- ${SUPPLEMENTAL_GROUP}
serviceAccount: sn-nif
serviceAccountName: sn-nif
6. Removed securityContext to ensure serviceAccount is used
Can someone please suggest how to resolve this issue. Otherwise I will have to
give up on Nifi as I don't have any more time on this project to spend on Nifi
config.
Thank you
Natalia
Natalia Fill
Analyst Software Developer
Legal and General Investment Management
One Coleman Street, London, EC2R 5AA
020 3124 3430
www.lgim.com
This e-mail (and any attachments) may contain privileged and/or confidential
information. If you are not the intended recipient please do not disclose,
copy, distribute, disseminate or take any action in reliance on it. If you have
received this message in error please reply and tell us and then delete it.
Should you wish to communicate with us by e-mail we cannot guarantee the
security of any data outside our own computer systems.
Any information contained in this message may be subject to applicable terms
and conditions and must not be construed as giving investment advice within or
outside the United Kingdom or Republic of Ireland.
Telephone Conversations may be recorded for your protection and to ensure
quality of service
Legal & General Investment Management Limited (no 2091894), LGIM Real Assets
(Operator) Limited (no 05522016), LGIM (International) Limited (no 7716001)
Legal & General Unit Trust Managers (no 1009418), GO ETF Solutions LLP
(OC329482) and LGIM Corporate Director Limited (no 7105051) are authorised and
regulated by the Financial Conduct Authority. All are registered in England &
Wales with a registered office at One Coleman Street, London, EC2R 5AA
Legal & General Assurance (Pensions Management) Limited (no 1006112) is
authorised by the Prudential Regulation Authority and regulated by the
Financial Conduct Authority and the Prudential Regulation Authority. It is
registered in England & Wales with a registered office at One Coleman Street,
London, EC2R 5AA.
Legal & General Property Limited (no 2091897) is authorised and regulated by
the Financial Conduct Authority for insurance mediation activities. It is
registered in England & Wales with a registered office at One Coleman Street,
London, EC2R 5AA.
LGIM Managers (Europe) Limited is authorised and regulated by the Central Bank
of Ireland (C173733). It is registered in the Republic of Ireland (no 609677)
with a registered office at 33/34 Sir John Rogerson's Quay, Dublin 2, D02 XK09.
Legal & General Group PLC, Registered Office One Coleman Street, London, EC2R
5AA.
Registered in England no: 1417162
This email has come from the internet and has been scanned for all viruses
and potentially offensive content by Messagelabs on behalf of Legal & General
