Kubernetes不允许将文件挂载到容器

时间:2017-12-20 10:34:12

标签: kubernetes

尝试在kubernetes群集中部署应用程序时遇到以下错误。看起来kubernetes不允许将文件挂载到容器,你知道可能的原因吗?

部署配置文件

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: model-loader-service
  namespace: "{{ .Values.nsPrefix }}-aai"
spec:
  selector:
    matchLabels:
      app: model-loader-service
  template:
    metadata:
      labels:
        app: model-loader-service
      name: model-loader-service
    spec:
      containers:
      - name: model-loader-service
        image: "{{ .Values.image.modelLoaderImage }}:{{ .Values.image.modelLoaderVersion }}"
        imagePullPolicy: {{ .Values.pullPolicy }}
        env:
        - name: CONFIG_HOME
          value: /opt/app/model-loader/config/
        volumeMounts:
        - mountPath: /etc/localtime
          name: localtime
          readOnly: true
        - mountPath: /opt/app/model-loader/config/
          name: aai-model-loader-config
        - mountPath: /var/log/onap
          name: aai-model-loader-logs
        - mountPath: /opt/app/model-loader/bundleconfig/etc/logback.xml
          name: aai-model-loader-log-conf
          subPath: logback.xml
        ports:
        - containerPort: 8080
        - containerPort: 8443
      - name: filebeat-onap-aai-model-loader
        image: {{ .Values.image.filebeat }}
        imagePullPolicy: {{ .Values.pullPolicy }}
        volumeMounts:
        - mountPath: /usr/share/filebeat/filebeat.yml
          name: filebeat-conf
        - mountPath: /var/log/onap
          name: aai-model-loader-logs
        - mountPath: /usr/share/filebeat/data
          name: aai-model-loader-filebeat
      volumes:
      - name: localtime
        hostPath:
          path: /etc/localtime
      - name: aai-model-loader-config
        hostPath:
          path: "/dockerdata-nfs/{{ .Values.nsPrefix }}/aai/model-loader/appconfig/"
      - name: filebeat-conf
        hostPath:
          path: /dockerdata-nfs/{{ .Values.nsPrefix }}/log/filebeat/logback/filebeat.yml

此问题的详细信息:

message: 'invalid header field value "oci runtime error: container_linux.go:247:

        starting container process caused \"process_linux.go:359: container init

        caused \\\"rootfs_linux.go:53: mounting \\\\\\\"/dockerdata-nfs/onap/log/filebeat/logback/filebeat.yml\\\\\\\"

        to rootfs \\\\\\\"/var/lib/docker/aufs/mnt/7cd32a29938e9f70a727723f550474cb5b41c0966f45ad0c323360779f08cf5c\\\\\\\"

        at \\\\\\\"/var/lib/docker/aufs/mnt/7cd32a29938e9f70a727723f550474cb5b41c0966f45ad0c323360779f08cf5c/usr/share/filebeat/filebeat.yml\\\\\\\"

        caused \\\\\\\"not a directory\\\\\\\"\\\"\"\n"'

... 

$ docker version
Client:
 Version:      1.12.6
 API version:  1.24
 Go version:   go1.6.4
 Git commit:   78d1802
 Built:        Tue Jan 10 20:38:45 2017
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.6
 API version:  1.24
 Go version:   go1.6.4
 Git commit:   78d1802
 Built:        Tue Jan 10 20:38:45 2017
 OS/Arch:      linux/amd64

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.4", GitCommit:"793658f2d7ca7f064d2bdf606519f9fe1229c381", GitTreeState:"clean", BuildDate:"2017-08-17T08:48:23Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.3-rancher3", GitCommit:"772c4c54e1f4ae7fc6f63a8e1ecd9fe616268e16", GitTreeState:"clean", BuildDate:"2017-11-27T19:51:43Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

3 个答案:

答案 0 :(得分:1)

caused "not a directory"有点自我解释。您使用的确切卷和volumeMount定义是什么?你在宣言中使用subPath吗?

编辑:改变

- name: filebeat-conf
  hostPath:
    path: /dockerdata-nfs/{{ .Values.nsPrefix }}/log/filebeat/logback/filebeat.yml


- name: filebeat-conf
  hostPath:
    path: /dockerdata-nfs/{{ .Values.nsPrefix }}/log/filebeat/logback/

并将subPath: filebeat.yml添加到volumeMount

答案 1 :(得分:1)

SELinux也可能是罪魁祸首。登录到该节点并执行sestatus。如果该策略被禁用,您将看到输出为SELINUX=disabled,否则将类似于以下内容:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mcs
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

第一个选项: 您可以通过编辑/etc/selinux/config文件来禁用selinux,并将SELINUX=permissive更新为SELINUX=disabled。完成后,重新启动计算机并进行部署以查看是否已修复。但是,这不是建议的方式,可以看作是临时解决方法。

第二个选项: 登录到该节点并执行ps -efZ | grep kubelet,这将给出类似的内容。

system_u:system_r:kernel_t:s0   root      1592     1  2 May23 ?        09:58:18 /usr/local/bin/kubelet --anonymous-auth=false

现在,从此输出中捕获字符串system_u:system_r:kernel_t:s0,可以在部署中将其更改为安全上下文,如下所示。

securityContext:
    seLinuxOptions:
      user: system_u
      role: system_r
      type: spc_t
      level: s0

部署您的应用程序并检查日志是否已修复。请让我知道这是否适合您或需要其他帮助。

答案 2 :(得分:0)

这是一个多节点集群吗?如果是这样,该文件需要存在于所有Kubernetes节点上,因为该Pod通常是在随机可用的主机上调度的。无论如何,ConfigMaps是向容器提供静态/只读文件的更好的方法。

相关问题
最新问题