Apache 用户从 openshift 构建中的图像中删除——whoami 错误
Apache user removed from image in openshift build -- whoami error
我一直在将一个项目从 kube 转移到 openshift。在 minikube 中该项目运行良好,但在 minishift 中它给出了错误
— Crash loop back off
这是来自 minishift 日志
[WARN] $TIMEZONE not set.
[INFO] Docker date set to: Tue Apr 20 17:39:02 UTC 2021
[INFO] $PHP_FPM_ENABLE not set. PHP-FPM support disabled.
[INFO] $CUSTOM_HTTPD_CONF_DIR not set. No custom include directory added.
[INFO] Starting Server version: Apache/2.2.15 (Unix)
whoami: cannot find name for user ID 1000140000
这里是相关的deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kompose.cmd: kompose convert
kompose.version: 1.22.0 (HEAD)
creationTimestamp: null
labels:
io.kompose.service: occtool
name: occtool
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: occtool
strategy: {}
template:
metadata:
annotations:
kompose.cmd: kompose convert
kompose.version: 1.22.0 (HEAD)
creationTimestamp: null
labels:
io.kompose.network/backend: "true"
io.kompose.network/frontend: "true"
io.kompose.service: occtool
spec:
containers:
- image: private.registry.com/image:tag
imagePullPolicy: IfNotPresent
name: occtool
ports:
- containerPort: 80
- containerPort: 443
resources: {}
restartPolicy: Always
status: {}
这是 Dockerfile
FROM cytopia/apache-2.2:0.9
# lines that copied files were omitted for convenience
USER root
我没有找到太多相关信息。 USER root 最初被省略,所以用户是 apache。使用 minishift ssh 和 docker exec 我注意到 pod 中不存在用户 apache,但是在构建图像时我无法 运行 创建用户的命令,因为用户确实存在于图片。我相信这是问题的基础,但我还没有找到在 openshift 中创建用户的方法,也不知道为什么在构建 pod 时删除了用户。
OpenShift 忽略来自 Dockerfiles 的 USER 指令,而是为容器中的用户生成一个随机 UID。这背后有一些关于安全的想法。
来自 OpenShift documentation:
Support Arbitrary User IDs
By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.
For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group. Files to be executed should also have group execute permissions.
我一直在将一个项目从 kube 转移到 openshift。在 minikube 中该项目运行良好,但在 minishift 中它给出了错误
— Crash loop back off
这是来自 minishift 日志
[WARN] $TIMEZONE not set.
[INFO] Docker date set to: Tue Apr 20 17:39:02 UTC 2021
[INFO] $PHP_FPM_ENABLE not set. PHP-FPM support disabled.
[INFO] $CUSTOM_HTTPD_CONF_DIR not set. No custom include directory added.
[INFO] Starting Server version: Apache/2.2.15 (Unix)
whoami: cannot find name for user ID 1000140000
这里是相关的deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kompose.cmd: kompose convert
kompose.version: 1.22.0 (HEAD)
creationTimestamp: null
labels:
io.kompose.service: occtool
name: occtool
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: occtool
strategy: {}
template:
metadata:
annotations:
kompose.cmd: kompose convert
kompose.version: 1.22.0 (HEAD)
creationTimestamp: null
labels:
io.kompose.network/backend: "true"
io.kompose.network/frontend: "true"
io.kompose.service: occtool
spec:
containers:
- image: private.registry.com/image:tag
imagePullPolicy: IfNotPresent
name: occtool
ports:
- containerPort: 80
- containerPort: 443
resources: {}
restartPolicy: Always
status: {}
这是 Dockerfile
FROM cytopia/apache-2.2:0.9
# lines that copied files were omitted for convenience
USER root
我没有找到太多相关信息。 USER root 最初被省略,所以用户是 apache。使用 minishift ssh 和 docker exec 我注意到 pod 中不存在用户 apache,但是在构建图像时我无法 运行 创建用户的命令,因为用户确实存在于图片。我相信这是问题的基础,但我还没有找到在 openshift 中创建用户的方法,也不知道为什么在构建 pod 时删除了用户。
OpenShift 忽略来自 Dockerfiles 的 USER 指令,而是为容器中的用户生成一个随机 UID。这背后有一些关于安全的想法。
来自 OpenShift documentation:
Support Arbitrary User IDs
By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.
For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group. Files to be executed should also have group execute permissions.