Fix for "Permission Denied" Error When Starting etcd in Embedded Cluster

If you’re encountering the following error during your Embedded Cluster installation:

Failed to start: fork/exec <data-dir>/k0s/bin/etcd: permission denied
component=etcd

You’re not alone—this is a known issue that typically arises in environments with a restrictive umask, resulting in improper directory permissions and preventing the etcd binary from executing.

:magnifying_glass_tilted_left: Root Cause

The etcd component cannot start because one or more directories in the <data-dir> path are missing global execute (x) permissions. This usually happens when the system umask is set to a restrictive value (i.e., not the default 0022).

Note: <data-dir> defaults to /var/lib/embedded-cluster/ unless overridden using the --data-dir flag during installation.

:white_check_mark: How to Fix

  1. Reset the Installation

    sudo ./<installer> reset --force
    

    This will reset the environment and reboot the server.

  2. Correct Directory Permissions
    Manually ensure that each directory in the <data-dir> path has the global execute permission:

    Example (if <data-dir> is /var/lib/embedded-cluster/):

    sudo chmod +x /var
    sudo chmod +x /var/lib
    sudo chmod +x /var/lib/embedded-cluster/
    

    Example (if using a custom path like /opt/my-cluster-data):

    sudo chmod +x /opt
    sudo chmod +x /opt/my-cluster-data
    

    :warning: Do not use chmod +x -R / — this applies execute permission recursively and can compromise system security. Only apply +x to the necessary directories in the <data-dir> path.

  3. Reinstall with Correct umask

    umask 0022
    ./<installer> install --license license.yaml [--data-dir <data-dir>]
    
  4. Still Seeing Errors?
    If the issue persists and the cause isn’t clear, please generate a new support bundle and share it with the support team.


:tada: Fixed in EC v2.1.3

This issue is resolved in Embedded Cluster v2.1.3, which includes:

  • A fix to ensure directory permissions do not block etcd startup.
  • A preflight check that validates directory permissions in the <data-dir> path before installation begins.

We recommend upgrading to v2.1.3 if you’re running an earlier version.


Let us know if you have any questions or need help troubleshooting!