Docker 无法在kubernetes的citadel容器中获取炮弹

我有Istio（包括citadel）在minikube运行，使用的说明是

当我试图将炮弹放入citadel容器时，我得到一个错误：

$ kubectl exec -it istio-citadel-6d7f9c545b-bkvnx  -- /bin/bash
OCI runtime exec failed: exec failed: container_linux.go:348: starting container process caused "exec: \"/bin/bash\": stat /bin/bash: no such file or directory": unknown
command terminated with exit code 126

但是，我可以执行到其他容器中，如pilot fine

这些是我的吊舱和容器，如果有帮助的话

shell-demo:                             nginx,
istio-citadel-6d7f9c545b-bkvnx:         docker.io/istio/citadel:1.0.3,
istio-cleanup-secrets-rp4wv:            quay.io/coreos/hyperkube:v1.7.6_coreos.0,
istio-egressgateway-866885bb49-6jz9q:   docker.io/istio/proxyv2:1.0.3,
istio-galley-6d74549bb9-7nhcl:          docker.io/istio/galley:1.0.3,
istio-ingressgateway-6c6ffb7dc8-bvp6b:  docker.io/istio/proxyv2:1.0.3,
istio-pilot-685fc95d96-fphc9:           docker.io/istio/pilot:1.0.3, docker.io/istio/proxyv2:1.0.3,
istio-policy-688f99c9c4-bpl9w:          docker.io/istio/mixer:1.0.3, docker.io/istio/proxyv2:1.0.3,
istio-security-post-install-s6dft:      quay.io/coreos/hyperkube:v1.7.6_coreos.0,
istio-sidecar-injector-74855c54b9-6v5xg:docker.io/istio/sidecar_injector:1.0.3,
istio-telemetry-69b794ff59-f7dv4:       docker.io/istio/mixer:1.0.3, docker.io/istio/proxyv2:1.0.3,
prometheus-f556886b8-lhdt8:             docker.io/prom/prometheus:v2.3.1,
coredns-c4cffd6dc-6xblf:                k8s.gcr.io/coredns:1.2.2,
etcd-minikube:                          k8s.gcr.io/etcd-amd64:3.1.12,
kube-addon-manager-minikube:            k8s.gcr.io/kube-addon-manager:v8.6,
kube-apiserver-minikube:                k8s.gcr.io/kube-apiserver-amd64:v1.10.0,
kube-controller-manager-minikube:       k8s.gcr.io/kube-controller-manager-amd64:v1.10.0,
kube-dns-86f4d74b45-bjk54:              k8s.gcr.io/k8s-dns-kube-dns-amd64:1.14.8, k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64:1.14.8, k8s.gcr.io/k8s-dns-sidecar-amd64:1.14.8,
kube-proxy-mqfb9:                       k8s.gcr.io/kube-proxy-amd64:v1.10.0,
kube-scheduler-minikube:                k8s.gcr.io/kube-scheduler-amd64:v1.10.0,
kubernetes-dashboard-6f4cfc5d87-zwk2c:  k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0,
storage-provisioner:                    gcr.io/k8s-minikube/storage-provisioner:v1.8.1,

当我执行minikube ssh，然后尝试执行citadel容器时，我会遇到类似的错误：

$ docker ps | grep citadel
f173453f843c        istio/citadel                              "/usr/local/bin/isti…"   3 hours ago         Up 3 hours                              k8s_citadel_istio-citadel-6d7f9c545b-bkvnx_istio-system_3d7b4f08-e120-11e8-bc40-ee7dbbb8f91b_0
7e96617d81ff        k8s.gcr.io/pause-amd64:3.1                 "/pause"                 3 hours ago         Up 3 hours                              k8s_POD_istio-citadel-6d7f9c545b-bkvnx_istio-system_3d7b4f08-e120-11e8-bc40-ee7dbbb8f91b_0

$ docker exec -it f173453f843c sh
OCI runtime exec failed: exec failed: container_linux.go:348: starting container process caused "exec: \"sh\": executable file not found in $PATH": unknown

$ docker exec -it f173453f843c /bin/sh
OCI runtime exec failed: exec failed: container_linux.go:348: starting container process caused "exec: \"/bin/sh\": stat /bin/sh: no such file or directory": unknown

$ docker exec -it f173453f843c ls
OCI runtime exec failed: exec failed: container_linux.go:348: starting container process caused "exec: \"ls\": executable file not found in $PATH": unknown

我可以很好地看到城堡。日志可在

你知道为什么我们不能进入城堡集装箱吗

---

谢谢阅读。

您无法插入，因为容器中既没有

sh

也没有

bash

。很多时候，为了提高效率和获得最小的容器映像，会删除这些内容

如果您想将外壳放入容器中，我建议您在include

bash

或

sh

中构建自己的图像

您可以在这里看到，构建的映像只有静态二进制文件。为此，您需要更改基础图像。例如：

FROM alpine

而不是：

FROM scratch

希望能有帮助

shell-demo:                             nginx,
istio-citadel-6d7f9c545b-bkvnx:         docker.io/istio/citadel:1.0.3,
istio-cleanup-secrets-rp4wv:            quay.io/coreos/hyperkube:v1.7.6_coreos.0,
istio-egressgateway-866885bb49-6jz9q:   docker.io/istio/proxyv2:1.0.3,
istio-galley-6d74549bb9-7nhcl:          docker.io/istio/galley:1.0.3,
istio-ingressgateway-6c6ffb7dc8-bvp6b:  docker.io/istio/proxyv2:1.0.3,
istio-pilot-685fc95d96-fphc9:           docker.io/istio/pilot:1.0.3, docker.io/istio/proxyv2:1.0.3,
istio-policy-688f99c9c4-bpl9w:          docker.io/istio/mixer:1.0.3, docker.io/istio/proxyv2:1.0.3,
istio-security-post-install-s6dft:      quay.io/coreos/hyperkube:v1.7.6_coreos.0,
istio-sidecar-injector-74855c54b9-6v5xg:docker.io/istio/sidecar_injector:1.0.3,
istio-telemetry-69b794ff59-f7dv4:       docker.io/istio/mixer:1.0.3, docker.io/istio/proxyv2:1.0.3,
prometheus-f556886b8-lhdt8:             docker.io/prom/prometheus:v2.3.1,
coredns-c4cffd6dc-6xblf:                k8s.gcr.io/coredns:1.2.2,
etcd-minikube:                          k8s.gcr.io/etcd-amd64:3.1.12,
kube-addon-manager-minikube:            k8s.gcr.io/kube-addon-manager:v8.6,
kube-apiserver-minikube:                k8s.gcr.io/kube-apiserver-amd64:v1.10.0,
kube-controller-manager-minikube:       k8s.gcr.io/kube-controller-manager-amd64:v1.10.0,
kube-dns-86f4d74b45-bjk54:              k8s.gcr.io/k8s-dns-kube-dns-amd64:1.14.8, k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64:1.14.8, k8s.gcr.io/k8s-dns-sidecar-amd64:1.14.8,
kube-proxy-mqfb9:                       k8s.gcr.io/kube-proxy-amd64:v1.10.0,
kube-scheduler-minikube:                k8s.gcr.io/kube-scheduler-amd64:v1.10.0,
kubernetes-dashboard-6f4cfc5d87-zwk2c:  k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0,
storage-provisioner:                    gcr.io/k8s-minikube/storage-provisioner:v1.8.1,

你知道为什么我们不能进入城堡集装箱吗

从下一个Kubernetes版本（1.16+，2019年第3季度）开始，您可以

请参阅（PR=“pull request”）：“将临时容器添加到Kubernetes核心API”（）。
用以获取文档

这是为了解决：“支持对不可分发容器进行故障排除”

（这是一个解决办法）

临时容器是一种临时容器，可以添加到现有的吊舱中，以便 用户启动的活动，如调试。临时容器没有资源或调度保证，它们在退出或移除或重新启动pod时不会重新启动

---

回答得很好。当我运行$kubectl exec-it istio-citadel-6d7f9c545b-bkvnx--/usr/local/bin/istio_ca时，它实际运行。（2018-11-05T21:32:15.587814Z错误未指定签名证书。请通过“-signing cert”选项指定证书文件或使用“-self signed ca”。命令以退出代码255终止）