如何在OpenShift中运行pgAdmin?

时间:2019-01-17 23:42:30

标签: postgresql openshift pgadmin pgadmin-4

我试图在没有管理员特权且管理员不想允许容器运行的OpenShift集群中运行pgAdmin容器(我使用的容器来自here)为安全起见,以root用户身份登录。

我当前收到的错误如下:

我创建了一个Dockerfile,该文件根据上面链接的图像提前创建了该目录,并且出现此错误:

是否可以在OpenShift中运行pgAdmin?我希望能够让数据库管理员登录pgAdmin实例并从那里配置数据库,而不必使用OpenShift CLI和端口转发。当我使用该方法时,端口转发连接会非常频繁地断开。

编辑1:

是否可以编辑在pgAdmin's github上找到的Dockerfileentrypoint.sh文件?

编辑2:

这似乎是pgAdmin ...的错误::/

https://www.postgresql.org/message-id/15470-c84b4e5cc424169d%40postgresql.org

4 个答案:

答案 0 :(得分:0)

如果通过Dockerfile创建pgadmin用户并授予其写入/var/log/pgadmin的权限,则此方法可能有效。

您可以使用RUN命令在Dockerfile中创建用户;像这样的东西:

# Create pgadmin user
ENV_HOME=/pgadmin
RUN mkdir -p ${HOME} && \
mkdir -p ${HOME}/pgadmin && \
useradd -u 1001 -r -g 0 -G pgadmin -d ${HOME} -s /bin/bash \
-c "Default Application User" pgadmin

# Set user home and permissions with group 0 and writeable.
RUN chmod -R 700 ${HOME} && chown -R 1001:0 ${HOME}

# Create the log folder and set permissions
RUN mkdir /var/log/pgadmin && \
chmod 0600 /var/log/pgadmin && \
chown 1001:0 /var/log/pgadmin

# Run as 1001 (pgadmin)
USER 1001

调整您的pgadmin安装,使其以1001运行,我认为您应该已设置。

答案 1 :(得分:0)

我已经对本地安装OSError: [Errno 13] Permission denied: '/var/lib/pgadmin'

回答了类似的问题

对于docker映像,您可以使用环境变量映射/pgadmin4/config_local.py,请在https://hub.docker.com/r/dpage/pgadmin4/上选中Mapped Files and Directories部分

答案 2 :(得分:0)

默认使用Openshift doesn't allow to run containers with root privilege,您可以将Security Context Constraints (SCC)添加到要在其中部署容器的项目的用户anyuid中。

为项目添加SCC:

$ oc adm policy add-scc-to-user anyuid system:serviceaccount:<your-project>:default

scc "anyuid" added to: ["system:serviceaccount:data-base-administration:default"]
$ oc get scc
NAME               PRIV      CAPS      SELINUX     RUNASUSER          FSGROUP     SUPGROUP    PRIORITY   READONLYROOTFS   VOLUMES
anyuid             false     []        MustRunAs   RunAsAny           RunAsAny    RunAsAny    10         false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]

已部署PGAdmin:

$ oc describe pod pgadmin4-4-fjv4h
Name:               pgadmin4-4-fjv4h
Namespace:          data-base-administration
Priority:           0
PriorityClassName:  <none>
Node:               host/IP
Start Time:         Mon, 18 Feb 2019 23:22:30 -0400
Labels:             app=pgadmin4
                    deployment=pgadmin4-4
                    deploymentconfig=pgadmin4
Annotations:        openshift.io/deployment-config.latest-version=4
                    openshift.io/deployment-config.name=pgadmin4
                    openshift.io/deployment.name=pgadmin4-4
                    openshift.io/generated-by=OpenShiftWebConsole
                    openshift.io/scc=anyuid
Status:             Running
IP:                 IP
Controlled By:      ReplicationController/pgadmin4-4
Containers:
  pgadmin4:
    Container ID:   docker://ID
    Image:          dpage/pgadmin4@sha256:SHA
    Image ID:       docker-pullable://docker.io/dpage/pgadmin4@sha256:SHA
    Ports:          80/TCP, 443/TCP
    Host Ports:     0/TCP, 0/TCP
    State:          Running
      Started:      Mon, 18 Feb 2019 23:22:37 -0400
    Ready:          True
    Restart Count:  0
    Environment:
      PGADMIN_DEFAULT_EMAIL:     secret
      PGADMIN_DEFAULT_PASSWORD:  secret
    Mounts:
      /var/lib/pgadmin from pgadmin4-1 (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-74b75 (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  pgadmin4-1:
    Type:    EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
  default-token-74b75:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-74b75
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  node-role.kubernetes.io/compute=true
Tolerations:     <none>
Events:
  Type    Reason     Age   From                             Message
  ----    ------     ----  ----                             -------
  Normal  Scheduled  51m   default-scheduler                Successfully assigned data-base-administration/pgadmin4-4-fjv4h to host
  Normal  Pulling    51m   kubelet, host  pulling image "dpage/pgadmin4@sha256:SHA"
  Normal  Pulled     51m   kubelet, host  Successfully pulled image "dpage/pgadmin4@sha256:SHA"
  Normal  Created    51m   kubelet, host  Created container
  Normal  Started    51m   kubelet, host  Started container

deploy-image-openshift pgadmin-deployed-ocp

答案 3 :(得分:0)

要解决这些错误,您需要向容器添加可写卷,并设置pgadmin的配置以使用该目录。

Permission Denied: '/var/lib/pgadmin'
Permission Denied: '/var/log/pgadmin'

下面的OpenShift / Kubernetes YAML示例通过提供here中所述的自定义/pgadmin4/config_local.py来演示这一点。这样,您就可以将图像作为具有常规特权的容器运行。

请注意,配置文件的基本目录(/var/lib/pgadmin/data)仍需要位于挂载点(/var/lib/pgadmin/)的下方,因为pgadmin的初始化代码会尝试创建/更改该目录的所有权,而这在容器内的挂载点目录。

apiVersion: v1
kind: List
items:
- apiVersion: v1
  kind: Secret
  metadata:
    labels:
      app: pgadmin-app
    name: pgadmin
  type: Opaque
  stringData:
    username: admin
    password: DEFAULT_PASSWORD
- apiVersion: v1
  kind: ServiceAccount
  metadata:
    annotations:
      serviceaccounts.openshift.io/oauth-redirectreference.pgadmin: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"pgadmin"}}'
    labels:
      app: pgadmin-app
    name: pgadmin
- apiVersion: v1
  kind: ConfigMap
  metadata:
    labels:
      app: pgadmin-app
    name: pgadmin
  data:
    config_local.py: |-
      import os
      _BASEDIR = '/var/lib/pgadmin/data'
      LOG_FILE = os.path.join(_BASEDIR, 'logfile')
      SQLITE_PATH = os.path.join(_BASEDIR, 'sqlite.db')
      STORAGE_DIR = os.path.join(_BASEDIR, 'storage')
      SESSION_DB_PATH = os.path.join(_BASEDIR, 'sessions')
    servers.json: |-
      {
        "Servers": {
          "1": {
            "Name": "postgresql",
            "Group": "Servers",
            "Host": "postgresql",
            "Port": 5432,
            "MaintenanceDB": "postgres",
            "Username": "dbuser",
            "SSLMode": "prefer",
            "SSLCompression": 0,
            "Timeout": 0,
            "UseSSHTunnel": 0,
            "TunnelPort": "22",
            "TunnelAuthentication": 0
          }
        }
      }
- apiVersion: apps.openshift.io/v1
  kind: DeploymentConfig
  metadata:
    name: pgadmin
    labels:
      app: pgadmin-app
  spec:
    replicas: 1
    selector:
      app: pgadmin-app
      deploymentconfig: pgadmin
    template:
      metadata:
        labels:
          app: pgadmin-app
          deploymentconfig: pgadmin
        name: pgadmin
      spec:
        serviceAccountName: pgadmin
        containers:
        - env:
          - name: PGADMIN_DEFAULT_EMAIL
            valueFrom:
              secretKeyRef:
                key: username
                name: pgadmin
          - name: PGADMIN_DEFAULT_PASSWORD
            valueFrom:
              secretKeyRef:
                key: password
                name: pgadmin
          - name: PGADMIN_LISTEN_PORT
            value: "5050"
          - name: PGADMIN_LISTEN_ADDRESS
            value: 0.0.0.0
          image: docker.io/dpage/pgadmin4:4
          livenessProbe:
            failureThreshold: 3
            initialDelaySeconds: 30
            httpGet:
              path: /misc/ping
              port: 5050
              scheme: HTTP
            periodSeconds: 60
            successThreshold: 1
            timeoutSeconds: 1
          name: pgadmin
          ports:
            - containerPort: 5050
              protocol: TCP
          readinessProbe:
            failureThreshold: 10
            initialDelaySeconds: 3
            httpGet:
              path: /misc/ping
              port: 5050
              scheme: HTTP
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 1
          volumeMounts:
          - mountPath: /pgadmin4/config_local.py
            name: pgadmin-config
            subPath: config_local.py
          - mountPath: /pgadmin4/servers.json
            name: pgadmin-config
            subPath: servers.json
          - mountPath: /var/lib/pgadmin
            name: pgadmin-data
        - image: docker.io/openshift/oauth-proxy:latest
          name: pgadmin-oauth-proxy
          ports:
          - containerPort: 5051
            protocol: TCP
          args:
          - --http-address=:5051
          - --https-address=
          - --openshift-service-account=pgadmin
          - --upstream=http://localhost:5050
          - --cookie-secret=bdna987REWQ1234
        volumes:
        - name: pgadmin-config
          configMap:
            name: pgadmin
            defaultMode: 0664
        - name: pgadmin-data
          emptyDir: {}
- apiVersion: v1
  kind: Service
  metadata:
    name: pgadmin-oauth-proxy
    labels:
      app: pgadmin-app
  spec:
    ports:
      - name: 80-tcp
        protocol: TCP
        port: 80
        targetPort: 5051
    selector:
      app: pgadmin-app
      deploymentconfig: pgadmin
- apiVersion: route.openshift.io/v1
  kind: Route
  metadata:
    labels:
      app: pgadmin-app
    name: pgadmin
  spec:
    port:
      targetPort: 80-tcp
    tls:
      insecureEdgeTerminationPolicy: Redirect
      termination: edge
    to:
      kind: Service
      name: pgadmin-oauth-proxy