Fatal编程技术网
  • kubernetes/
  • Kubernetes 创建为根目录的Volumemounts:通过提供安全上下文的工件

Kubernetes 创建为根目录的Volumemounts:通过提供安全上下文的工件

kubernetes

Kubernetes 创建为根目录的Volumemounts:通过提供安全上下文的工件,kubernetes,Kubernetes,问题: 在Kubernetes中将Artifactory部署为部署。VolumeMounts正在作为根:工件和drwxr-sr-x的权限装载 /var/opt/jfrog/artifactory drwxr-sr-x 2 root artifact 4096 Jan 24 17:52 etc /var/opt/jfrog/artifactory/etc -rw-r--r-- 1 root artifact 1048 Jan 24 17:48 art

问题: 在Kubernetes中将Artifactory部署为部署。VolumeMounts正在作为根:工件和drwxr-sr-x的权限装载

/var/opt/jfrog/artifactory
drwxr-sr-x    2 root     artifact      4096 Jan 24 17:52 etc
/var/opt/jfrog/artifactory/etc
-rw-r--r--    1 root     artifact      1048 Jan 24 17:48 artifactory.config.import.yml
-rw-r--r--    1 root     artifact     12703 Jan 24 17:48 artifactory.system.properties
期望值: VolumeMount应作为工件装载:具有读写权限的工件

由于限制,kubernetes清单文件不完整

    spec:
      securityContext:
        runAsUser: 1030
        runAsGroup: 1030
        fsGroup: 1030

        volumeMounts:
        - name: artifactory-volume
          mountPath: "/var/opt/jfrog/artifactory"
        - name: bootstrap
          mountPath: "/var/opt/jfrog/artifactory/etc/artifactory.config.import.yml"
          subPath: bootstrap
        - name: artifactory-system-properties
          mountPath: "/var/opt/jfrog/artifactory/etc/artifactory.system.properties"
          subPath: artifactory.system.properties
        resources:
          limits:
            cpu: "3"
            memory: 6Gi
          requests:
            cpu: "2"
            memory: 4Gi


      volumes:
      - name: bootstrap
        secret:
          secretName: artifactory6170-artifactory
      - name: artifactory-system-properties
        configMap:
          name: artifactory6170-artifactory-system-properties
      - name: artifactory-volume
        persistentVolumeClaim:
          claimName: artifactory6170-artifactory
Kubernetes版本:

Server Version: version.Info{
  Major: "1",
  Minor: "14",
  GitVersion: "v1.14.1",
  GitCommit: "b7394102d6ef778017f2ca4046abbaa23b88c290",
  GitTreeState: "clean",
  BuildDate: "2019-04-08T17:02:58Z",
  GoVersion: "go1.12.1",
  Compiler: "gc",
  Platform: "linux/amd64"
}
我认为,安全背景包括所需的

        runAsUser: 1030
以1030的身份运行进程

        runAsGroup: 1030
当指定runAsGroup时,创建的任何文件也将归用户1030和组1030所有。 运行

任何附加卷的所有者都将是组ID 1099的所有者

不知道为什么容器会出现错误的用户所有权,任何帮助都将不胜感激

错误:

kubectl logs artifactory6170-artifactory-756cffb9-68zjj
2020-01-26 12:28:13  [719 entrypoint-artifactory.sh] Preparing to run Artifactory in Docker
2020-01-26 12:28:13  [720 entrypoint-artifactory.sh] Running as uid=1030(artifactory) gid=1030(artifactory) groups=1030(artifactory)
2020-01-26 12:28:13   [57 entrypoint-artifactory.sh] Dockerfile for this image can found inside the container.
2020-01-26 12:28:13   [58 entrypoint-artifactory.sh] To view the Dockerfile: 'cat /docker/artifactory-pro/Dockerfile.artifactory'.
2020-01-26 12:28:13   [63 entrypoint-artifactory.sh] Checking open files and processes limits
2020-01-26 12:28:13   [66 entrypoint-artifactory.sh] Current max open files is 1048576
2020-01-26 12:28:13   [78 entrypoint-artifactory.sh] Current max open processes is unlimited
2020-01-26 12:31:13  [211 entrypoint-artifactory.sh] Testing directory /var/opt/jfrog/artifactory has read/write permissions for user 'artifactory' (id 1030)
/entrypoint-artifactory.sh: line 180: /var/opt/jfrog/artifactory/etc/test-permissions: Permission denied
2020-01-26 12:31:13  [229 entrypoint-artifactory.sh] ###########################################################
2020-01-26 12:31:13  [230 entrypoint-artifactory.sh] /var/opt/jfrog/artifactory DOES NOT have proper permissions for user 'artifactory' (id 1030)
2020-01-26 12:31:13  [231 entrypoint-artifactory.sh] Directory: /var/opt/jfrog/artifactory, permissions: 2775, owner: artifactory, group: artifactory
2020-01-26 12:31:13  [232 entrypoint-artifactory.sh] Mounted directory must have read/write permissions for user 'artifactory' (id 1030)
2020-01-26 12:31:13  [233 entrypoint-artifactory.sh] ###########################################################
2020-01-26 12:31:13   [47 entrypoint-artifactory.sh] ERROR: Directory /var/opt/jfrog/artifactory has bad permissions for user 'artifactory' (id 1030)
如前所述,您不能更改已装入目录的权限

作为一种解决方法,您可以使用在实际容器之前运行的
initContainer
来更改目录的权限:

initContainers:
- name: volume-mount
  image: busybox
  command: ["sh", "-c", "chown -R 1030:1030 <your_directory>"]
  volumeMounts:
  - name: <your volume>
    mountPath: <your mountPath>

initContainers:
-名称:卷装载
图片:busybox
命令:[“sh”、“-c”、“chown-r1030:1030”]
体积数量:
-姓名:
安装路径:
如前所述,您不能更改已装入目录的权限

作为一种解决方法,您可以使用在实际容器之前运行的
initContainer
来更改目录的权限:

initContainers:
- name: volume-mount
  image: busybox
  command: ["sh", "-c", "chown -R 1030:1030 <your_directory>"]
  volumeMounts:
  - name: <your volume>
    mountPath: <your mountPath>

initContainers:
-名称:卷装载
图片:busybox
命令:[“sh”、“-c”、“chown-r1030:1030”]
体积数量:
-姓名:
安装路径:
我所要做的就是添加一个initContainer并将Configmaps装载到/tmp,并将其移动到必要的路径/var/opt/jfrog/artifactory/etc/,而不是将configmap装载到volumemount/var/opt/jfrog/artifactory中

原因:ConfigMaps是只读的,因此/etc过去和将来都是只读的

  initContainers:
  - name: "grant-permissions"
    image: "busybox:1.26.2"
    securityContext:
      runAsUser: 0
    imagePullPolicy: "IfNotPresent"
    command:
    - 'sh'
    - '-c'
    - 'mkdir /var/opt/jfrog/artifactory/etc ; cp -vf /tmp/artifactory* /var/opt/jfrog/artifactory/etc ; chown -R 1030:1030 /var/opt/jfrog/ ; rm -rfv /var/opt/jfrog/artifactory/lost+found'

    volumeMounts:
    - mountPath: "/var/opt/jfrog/artifactory"
      name: artifactory-volume
    - name: bootstrap
      mountPath: "/tmp/artifactory.config.import.yml"
      subPath: bootstrap
      readOnly: false
    - name: artifactory-system-properties
      mountPath: "/tmp/artifactory.system.properties"
      subPath: artifactory.system.properties
      readOnly: false
然后将卷装载到运行artifactory的主容器中

  containers:
  - name: artifactory
    image: "registry.eu02.dsg.arm.com/sqa/artifactory-pro:6.17.0"

  volumeMounts:
  - name: artifactory-volume
    mountPath: "/var/opt/jfrog/artifactory"
我所要做的就是添加一个initContainer并将Configmaps装载到/tmp,并将其移动到必要的路径/var/opt/jfrog/artifactory/etc/,而不是将configmap装载到volumemount/var/opt/jfrog/artifactory中

原因:ConfigMaps是只读的,因此/etc过去和将来都是只读的

  initContainers:
  - name: "grant-permissions"
    image: "busybox:1.26.2"
    securityContext:
      runAsUser: 0
    imagePullPolicy: "IfNotPresent"
    command:
    - 'sh'
    - '-c'
    - 'mkdir /var/opt/jfrog/artifactory/etc ; cp -vf /tmp/artifactory* /var/opt/jfrog/artifactory/etc ; chown -R 1030:1030 /var/opt/jfrog/ ; rm -rfv /var/opt/jfrog/artifactory/lost+found'

    volumeMounts:
    - mountPath: "/var/opt/jfrog/artifactory"
      name: artifactory-volume
    - name: bootstrap
      mountPath: "/tmp/artifactory.config.import.yml"
      subPath: bootstrap
      readOnly: false
    - name: artifactory-system-properties
      mountPath: "/tmp/artifactory.system.properties"
      subPath: artifactory.system.properties
      readOnly: false
然后将卷装载到运行artifactory的主容器中

  containers:
  - name: artifactory
    image: "registry.eu02.dsg.arm.com/sqa/artifactory-pro:6.17.0"

  volumeMounts:
  - name: artifactory-volume
    mountPath: "/var/opt/jfrog/artifactory"
用户id
1030
是否同时存在于主机和docker映像上?我认为docker artifactory映像应该对var目录上的用户1030具有写入权限。它不使用主机卷,但一个CinderVolume添加了docker文件以更好地理解用户id
1030
是否同时存在于主机和docker映像上?我认为,docker artifactory映像应具有用户1030在var目录上的写入权限。它不使用主机卷,但CinderVolume已添加docker文件以便于更好地理解它太通用,不能说授予权限,这并不能解决问题。请在上面找到我的答案。它太笼统了,不能说授予权限,这不能解决问题。请在上面找到我的答案。