Openshift 4 - Mkdir 命令获取权限被拒绝错误
Openshift 4 - Mkdir command gets permission denied error
我已经为未指定任何用户的映像设置部署 运行。当映像启动时,它尝试在 /data/cache 处创建一个目录,但遇到权限被拒绝的错误。
我尝试在 pods 中从终端创建目录,但遇到了同样的问题:
$ whoami
1000910000
$ mkdir /data/cache
mkdir: cannot create directory ‘/data/cache’: Permission denied
找到 但它要求图像 运行 作为特定用户,我无法更改 Dockerfile。有什么方法可以允许图像写入访问 /data?
谢谢
如果您无法更改容器本身,那么可以选择在此位置安装一个 emptyDir 目录。
像这样将其添加到部署中:
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-deployment
labels:
app: example
spec:
...
spec:
containers:
- name: example
image: nginx:1.14.2
ports:
- containerPort: 80
volumeMounts:
- mountPath: /data/cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}
这是由于 OpenShift create/manage 每次部署图像时,它都会创建一个随机用户 ID。
您应该检查如何支持任意用户 ID:
https://docs.openshift.com/container-platform/4.7/openshift_images/create-images.html
Support arbitrary user ids
By default, OpenShift Container Platform runs containers using an
arbitrarily assigned user ID. This provides additional security
against processes escaping the container due to a container engine
vulnerability and thereby achieving escalated permissions on the host
node.
For an image to support running as an arbitrary user, directories and
files that are written to by processes in the image must be owned by
the root group and be read/writable by that group. Files to be
executed must also have group execute permissions.
Adding the following to your Dockerfile sets the directory and file
permissions to allow users in the root group to access them in the
built image:
RUN chgrp -R 0 /some/directory && \
chmod -R g=u /some/directory
Because the container user is always a member of the root group, the
container user can read and write these files.
所以你真的应该尝试按照这些规则来改变它。
我已经为未指定任何用户的映像设置部署 运行。当映像启动时,它尝试在 /data/cache 处创建一个目录,但遇到权限被拒绝的错误。
我尝试在 pods 中从终端创建目录,但遇到了同样的问题:
$ whoami
1000910000
$ mkdir /data/cache
mkdir: cannot create directory ‘/data/cache’: Permission denied
找到 /data?
谢谢
如果您无法更改容器本身,那么可以选择在此位置安装一个 emptyDir 目录。
像这样将其添加到部署中:
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-deployment
labels:
app: example
spec:
...
spec:
containers:
- name: example
image: nginx:1.14.2
ports:
- containerPort: 80
volumeMounts:
- mountPath: /data/cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}
这是由于 OpenShift create/manage 每次部署图像时,它都会创建一个随机用户 ID。
您应该检查如何支持任意用户 ID:
https://docs.openshift.com/container-platform/4.7/openshift_images/create-images.html
Support arbitrary user ids
By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.
For an image to support running as an arbitrary user, directories and files that are written to by processes in the image must be owned by the root group and be read/writable by that group. Files to be executed must also have group execute permissions.
Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image:
RUN chgrp -R 0 /some/directory && \
chmod -R g=u /some/directory
Because the container user is always a member of the root group, the container user can read and write these files.
所以你真的应该尝试按照这些规则来改变它。