Kubernetes部署只读文件系统错误

时间:2018-04-02 15:28:43

标签: docker sed deployment kubernetes airflow

我在Kubernetes(正是这个版本的Airflow https://github.com/puckel/docker-airflow/blob/1.8.1/Dockerfile)上部署Airflow时遇到错误,因为它将权限写入文件系统。

pod的日志上显示的错误是:

sed: couldn't open temporary file /usr/local/airflow/sed18bPUH: Read-only file system
sed: -e expression #1, char 131: unterminated `s' command
sed: -e expression #1, char 118: unterminated `s' command
Initialize database...
sed: couldn't open temporary file /usr/local/airflow/sedouxZBL: Read-only file system
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/airflow/configuration.py", line 769, in
    ....
    with open(TEST_CONFIG_FILE, 'w') as f:
IOError: [Errno 30] Read-only file system: '/usr/local/airflow/unittests.cfg'

似乎文件系统是只读的,但我不明白它为什么。我不确定它是否是 Kubernetes配置错误(我是否需要针对pod的特殊RBAC?不知道)或者 Dockerfile 是否存在问题。

部署文件如下所示:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: airflow
  namespace: test
spec:
  replicas: 1
  revisionHistoryLimit: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 0
      maxSurge: 1
  template:
    metadata:
      labels:
        app: airflow
    spec:
      restartPolicy: Always
      containers:
      - name: webserver
        image: davideberdin/docker-airflow:0.0.4
        imagePullPolicy: Always
        resources:
          limits:
            cpu: 1
            memory: 1Gi
          requests:
            cpu: 50m
            memory: 128Mi
        securityContext:  #does not have any effect
          runAsUser: 0    #does not have any effect
        ports:
        - name: airflow-web
          containerPort: 8080
        args: ["webserver"]
        volumeMounts:
          - name: airflow-config-volume
            mountPath: /usr/local/airflow
            readOnly: false #does not have any effect
          - name: airflow-logs
            mountPath: /usr/local/logs
            readOnly: false #does not have any effect
      volumes:
      - name: airflow-config-volume
        secret:
          secretName: airflow-config-secret
      - name: airflow-parameters-volume
        secret:
          secretName: airflow-parameters-secret
      - name: airflow-logs
        emptyDir: {}

知道如何让文件系统可写吗?容器以 USER airflow 运行,但我认为此用户具有root权限。

2 个答案:

答案 0 :(得分:7)

从kubernetes 1.9版本开始,默认情况下,secret,configMap,downdownAPI和projected上的volumeMounts行为已更改为只读。

该问题的一种解决方法是创建一个emtpyDir卷并将其内容复制到其中,然后执行/写入所需的任何内容。

这是一小段演示。

    initContainers:
    - name: copy-ro-scripts
      image: busybox
      command: ['sh', '-c', 'cp /scripts/* /etc/pre-install/']
      volumeMounts:
        - name: scripts
          mountPath: /scripts
        - name: pre-install
          mountPath: /etc/pre-install
   volumes:
      - name: pre-install
        emptyDir: {}
      - name: scripts
        configMap:
          name: bla

导致此中断的合并PR :( https://github.com/kubernetes/kubernetes/pull/58720

答案 1 :(得分:3)

    volumeMounts:
      - name: airflow-config-volume
        mountPath: /usr/local/airflow
  volumes:
  - name: airflow-config-volume
    secret:
      secretName: airflow-config-secret

问题的根源有两个原因:首先,您通过音量将您的秘密直接挂在图像上直接打印到图像所需的位置{{3}您已经粉碎了气流用户home directory }}

另外,虽然我必须启动一个群集以确认100%,但我确信Secret卷已经安装 - 我认为他们的ConfigMap朋友 - 是Pod文件系统的只读投影;怀疑肯定似乎符合你的经验。毫无疑问,对这些卷的更改会传播回kubernetes集群,所以为什么要假装。

如果你想继续尝试这样的事情,你实际上会影响投射到volumeMount文件a directory owned by airflow,所以你可以设置它们到0666,但请务必谨慎。到目前为止,短版本不会使用卷装置粉碎$AIRFLOW_HOME

相关问题
最新问题