Kubernetes 创建为根目录的Volumemounts:通过提供安全上下文的工件
问题: 在Kubernetes中将Artifactory部署为部署。VolumeMounts正在作为根:工件和drwxr-sr-x的权限装载Kubernetes 创建为根目录的Volumemounts:通过提供安全上下文的工件,kubernetes,Kubernetes,问题: 在Kubernetes中将Artifactory部署为部署。VolumeMounts正在作为根:工件和drwxr-sr-x的权限装载 /var/opt/jfrog/artifactory drwxr-sr-x 2 root artifact 4096 Jan 24 17:52 etc /var/opt/jfrog/artifactory/etc -rw-r--r-- 1 root artifact 1048 Jan 24 17:48 art
/var/opt/jfrog/artifactory
drwxr-sr-x 2 root artifact 4096 Jan 24 17:52 etc
/var/opt/jfrog/artifactory/etc
-rw-r--r-- 1 root artifact 1048 Jan 24 17:48 artifactory.config.import.yml
-rw-r--r-- 1 root artifact 12703 Jan 24 17:48 artifactory.system.properties
期望值:
VolumeMount应作为工件装载:具有读写权限的工件
由于限制,kubernetes清单文件不完整
spec:
securityContext:
runAsUser: 1030
runAsGroup: 1030
fsGroup: 1030
volumeMounts:
- name: artifactory-volume
mountPath: "/var/opt/jfrog/artifactory"
- name: bootstrap
mountPath: "/var/opt/jfrog/artifactory/etc/artifactory.config.import.yml"
subPath: bootstrap
- name: artifactory-system-properties
mountPath: "/var/opt/jfrog/artifactory/etc/artifactory.system.properties"
subPath: artifactory.system.properties
resources:
limits:
cpu: "3"
memory: 6Gi
requests:
cpu: "2"
memory: 4Gi
volumes:
- name: bootstrap
secret:
secretName: artifactory6170-artifactory
- name: artifactory-system-properties
configMap:
name: artifactory6170-artifactory-system-properties
- name: artifactory-volume
persistentVolumeClaim:
claimName: artifactory6170-artifactory
Kubernetes版本:
Server Version: version.Info{
Major: "1",
Minor: "14",
GitVersion: "v1.14.1",
GitCommit: "b7394102d6ef778017f2ca4046abbaa23b88c290",
GitTreeState: "clean",
BuildDate: "2019-04-08T17:02:58Z",
GoVersion: "go1.12.1",
Compiler: "gc",
Platform: "linux/amd64"
}
我认为,安全背景包括所需的
runAsUser: 1030
以1030的身份运行进程
runAsGroup: 1030
当指定runAsGroup时,创建的任何文件也将归用户1030和组1030所有。
运行
任何附加卷的所有者都将是组ID 1099的所有者
不知道为什么容器会出现错误的用户所有权,任何帮助都将不胜感激
错误:
kubectl logs artifactory6170-artifactory-756cffb9-68zjj
2020-01-26 12:28:13 [719 entrypoint-artifactory.sh] Preparing to run Artifactory in Docker
2020-01-26 12:28:13 [720 entrypoint-artifactory.sh] Running as uid=1030(artifactory) gid=1030(artifactory) groups=1030(artifactory)
2020-01-26 12:28:13 [57 entrypoint-artifactory.sh] Dockerfile for this image can found inside the container.
2020-01-26 12:28:13 [58 entrypoint-artifactory.sh] To view the Dockerfile: 'cat /docker/artifactory-pro/Dockerfile.artifactory'.
2020-01-26 12:28:13 [63 entrypoint-artifactory.sh] Checking open files and processes limits
2020-01-26 12:28:13 [66 entrypoint-artifactory.sh] Current max open files is 1048576
2020-01-26 12:28:13 [78 entrypoint-artifactory.sh] Current max open processes is unlimited
2020-01-26 12:31:13 [211 entrypoint-artifactory.sh] Testing directory /var/opt/jfrog/artifactory has read/write permissions for user 'artifactory' (id 1030)
/entrypoint-artifactory.sh: line 180: /var/opt/jfrog/artifactory/etc/test-permissions: Permission denied
2020-01-26 12:31:13 [229 entrypoint-artifactory.sh] ###########################################################
2020-01-26 12:31:13 [230 entrypoint-artifactory.sh] /var/opt/jfrog/artifactory DOES NOT have proper permissions for user 'artifactory' (id 1030)
2020-01-26 12:31:13 [231 entrypoint-artifactory.sh] Directory: /var/opt/jfrog/artifactory, permissions: 2775, owner: artifactory, group: artifactory
2020-01-26 12:31:13 [232 entrypoint-artifactory.sh] Mounted directory must have read/write permissions for user 'artifactory' (id 1030)
2020-01-26 12:31:13 [233 entrypoint-artifactory.sh] ###########################################################
2020-01-26 12:31:13 [47 entrypoint-artifactory.sh] ERROR: Directory /var/opt/jfrog/artifactory has bad permissions for user 'artifactory' (id 1030)
如前所述,您不能更改已装入目录的权限
作为一种解决方法,您可以使用在实际容器之前运行的initContainer
来更改目录的权限:
initContainers:
- name: volume-mount
image: busybox
command: ["sh", "-c", "chown -R 1030:1030 <your_directory>"]
volumeMounts:
- name: <your volume>
mountPath: <your mountPath>
initContainers:
-名称:卷装载
图片:busybox
命令:[“sh”、“-c”、“chown-r1030:1030”]
体积数量:
-姓名:
安装路径:
如前所述,您不能更改已装入目录的权限
作为一种解决方法,您可以使用在实际容器之前运行的initContainer
来更改目录的权限:
initContainers:
- name: volume-mount
image: busybox
command: ["sh", "-c", "chown -R 1030:1030 <your_directory>"]
volumeMounts:
- name: <your volume>
mountPath: <your mountPath>
initContainers:
-名称:卷装载
图片:busybox
命令:[“sh”、“-c”、“chown-r1030:1030”]
体积数量:
-姓名:
安装路径:
我所要做的就是添加一个initContainer并将Configmaps装载到/tmp,并将其移动到必要的路径/var/opt/jfrog/artifactory/etc/,而不是将configmap装载到volumemount/var/opt/jfrog/artifactory中
原因:ConfigMaps是只读的,因此/etc过去和将来都是只读的
initContainers:
- name: "grant-permissions"
image: "busybox:1.26.2"
securityContext:
runAsUser: 0
imagePullPolicy: "IfNotPresent"
command:
- 'sh'
- '-c'
- 'mkdir /var/opt/jfrog/artifactory/etc ; cp -vf /tmp/artifactory* /var/opt/jfrog/artifactory/etc ; chown -R 1030:1030 /var/opt/jfrog/ ; rm -rfv /var/opt/jfrog/artifactory/lost+found'
volumeMounts:
- mountPath: "/var/opt/jfrog/artifactory"
name: artifactory-volume
- name: bootstrap
mountPath: "/tmp/artifactory.config.import.yml"
subPath: bootstrap
readOnly: false
- name: artifactory-system-properties
mountPath: "/tmp/artifactory.system.properties"
subPath: artifactory.system.properties
readOnly: false
然后将卷装载到运行artifactory的主容器中
containers:
- name: artifactory
image: "registry.eu02.dsg.arm.com/sqa/artifactory-pro:6.17.0"
volumeMounts:
- name: artifactory-volume
mountPath: "/var/opt/jfrog/artifactory"
我所要做的就是添加一个initContainer并将Configmaps装载到/tmp,并将其移动到必要的路径/var/opt/jfrog/artifactory/etc/,而不是将configmap装载到volumemount/var/opt/jfrog/artifactory中 原因:ConfigMaps是只读的,因此/etc过去和将来都是只读的
initContainers:
- name: "grant-permissions"
image: "busybox:1.26.2"
securityContext:
runAsUser: 0
imagePullPolicy: "IfNotPresent"
command:
- 'sh'
- '-c'
- 'mkdir /var/opt/jfrog/artifactory/etc ; cp -vf /tmp/artifactory* /var/opt/jfrog/artifactory/etc ; chown -R 1030:1030 /var/opt/jfrog/ ; rm -rfv /var/opt/jfrog/artifactory/lost+found'
volumeMounts:
- mountPath: "/var/opt/jfrog/artifactory"
name: artifactory-volume
- name: bootstrap
mountPath: "/tmp/artifactory.config.import.yml"
subPath: bootstrap
readOnly: false
- name: artifactory-system-properties
mountPath: "/tmp/artifactory.system.properties"
subPath: artifactory.system.properties
readOnly: false
然后将卷装载到运行artifactory的主容器中
containers:
- name: artifactory
image: "registry.eu02.dsg.arm.com/sqa/artifactory-pro:6.17.0"
volumeMounts:
- name: artifactory-volume
mountPath: "/var/opt/jfrog/artifactory"
用户id
1030
是否同时存在于主机和docker映像上?我认为docker artifactory映像应该对var目录上的用户1030具有写入权限。它不使用主机卷,但一个CinderVolume添加了docker文件以更好地理解用户id1030
是否同时存在于主机和docker映像上?我认为,docker artifactory映像应具有用户1030在var目录上的写入权限。它不使用主机卷,但CinderVolume已添加docker文件以便于更好地理解它太通用,不能说授予权限,这并不能解决问题。请在上面找到我的答案。它太笼统了,不能说授予权限,这不能解决问题。请在上面找到我的答案。