我正在尝试在OpenShift上运行部署配置。我的部署配置的一部分运行一个初始化容器,该容器在使用chown的持久卷上设置权限。当初始化容器启动时,它失败并且日志打印出“权限被拒绝”
这是我的初始化容器:
- apiVersion: v1
kind: DeploymentConfig
metadata:
name: ${NAME}-primary
namespace: ${NAMESPACE}
spec:
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
name: ${NAME}-primary
test-app: ${NAME}
spec:
serviceAccountName: ${SERVICE_ACCOUNT}
initContainers:
- name: set-volume-ownership
image: alpine:3.6
command: ["sh", "-c", "chown -R 1030:1030 /var/opt"]
volumeMounts:
- name: test-app-data
mountPath: /var/opt
我还在具有永久卷的nfs挂载上设置了chmod 777。
因此,我知道OpenShift默认情况下将pod作为随机UID运行。我知道我可以从我的部署配置中将服务帐户添加到scc anyuid,这将起作用,但是我不想这样做,因为这是安全问题,并且我的群集管理员不允许这样做。我该如何解决?我一直在阅读有关fsGroups的信息,但它们对我来说没有意义。有意见吗?
答案 0 :(得分:1)
OpenShift文档在Support Arbitrary User IDs部分中对此进行了一些讨论。
问题是您的初始化容器所运行的用户没有对该目录<%@ Register Assembly="Telerik.Web.UI" Namespace="Telerik.Web.UI" TagPrefix="telerik" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<link id="Link1" href="~/Styles/Site.css" rel="stylesheet" type="text/css" media="screen" runat="server" />
</head>
<body>
<form id="form1" runat="server" enableviewstate="True">
<telerik:RadScriptManager ID="RadScriptManager1" runat="server">
<Scripts>
<asp:ScriptReference Assembly="Telerik.Web.UI"
Name="Telerik.Web.UI.Common.Core.js">
</asp:ScriptReference>
<asp:ScriptReference Assembly="Telerik.Web.UI"
Name="Telerik.Web.UI.Common.jQuery.js">
</asp:ScriptReference>
<asp:ScriptReference Assembly="Telerik.Web.UI"
Name="Telerik.Web.UI.Common.jQueryInclude.js">
</asp:ScriptReference>
<asp:ScriptReference Assembly="Telerik.Web.UI" Name="Telerik.Web.UI.Common.Core.js"></asp:ScriptReference>
<asp:ScriptReference Assembly="Telerik.Web.UI" Name="Telerik.Web.UI.Common.jQuery.js"></asp:ScriptReference>
<asp:ScriptReference Assembly="Telerik.Web.UI"
Name="Telerik.Web.UI.Common.jQueryInclude.js"></asp:ScriptReference>
</Scripts>
</telerik:RadScriptManager>
<telerik:RadAjaxManager ID="RadAjaxManager1" runat="server" >
<AjaxSettings>
<telerik:AjaxSetting AjaxControlID="RadButton1">
<UpdatedControls>
<telerik:AjaxUpdatedControl ControlID="RadButton1" />
<telerik:AjaxUpdatedControl ControlID="InButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="OutButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="EndBreakButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="MessagePlaceholder" />
</UpdatedControls>
</telerik:AjaxSetting>
<telerik:AjaxSetting AjaxControlID="InBtn">
<UpdatedControls>
<telerik:AjaxUpdatedControl ControlID="IDtextbox" />
<telerik:AjaxUpdatedControl ControlID="PINtextbox" />
<telerik:AjaxUpdatedControl ControlID="RadButton1" />
<telerik:AjaxUpdatedControl ControlID="InButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="OutButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="EndBreakButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="AlertPlaceholder" />
</UpdatedControls>
</telerik:AjaxSetting>
<telerik:AjaxSetting AjaxControlID="OutBtn">
<UpdatedControls>
<telerik:AjaxUpdatedControl ControlID="IDtextbox" />
<telerik:AjaxUpdatedControl ControlID="PINtextbox" />
<telerik:AjaxUpdatedControl ControlID="RadButton1" />
<telerik:AjaxUpdatedControl ControlID="InButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="OutButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="EndBreakButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="AlertPlaceholder" />
</UpdatedControls>
</telerik:AjaxSetting>
<telerik:AjaxSetting AjaxControlID="StartBreakBtn">
<UpdatedControls>
<telerik:AjaxUpdatedControl ControlID="IDtextbox" />
<telerik:AjaxUpdatedControl ControlID="PINtextbox" />
<telerik:AjaxUpdatedControl ControlID="RadButton1" />
<telerik:AjaxUpdatedControl ControlID="InButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="OutButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="EndBreakButtonPlaceholder" />
</UpdatedControls>
</telerik:AjaxSetting>
<telerik:AjaxSetting AjaxControlID="EndBreakBtn">
<UpdatedControls>
<telerik:AjaxUpdatedControl ControlID="IDtextbox" />
<telerik:AjaxUpdatedControl ControlID="PINtextbox" />
<telerik:AjaxUpdatedControl ControlID="RadButton1" />
<telerik:AjaxUpdatedControl ControlID="InButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="OutButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="EndBreakButtonPlaceholder" />
</UpdatedControls>
</telerik:AjaxSetting>
<telerik:AjaxSetting AjaxControlID="ConfirmBtn">
<UpdatedControls>
<telerik:AjaxUpdatedControl ControlID="IDtextbox" />
<telerik:AjaxUpdatedControl ControlID="PINtextbox" />
<telerik:AjaxUpdatedControl ControlID="InButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="OutButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="EndBreakButtonPlaceholder" />
<telerik:AjaxUpdatedControl ControlID="MessagePlaceholder" />
</UpdatedControls>
</telerik:AjaxSetting>
<telerik:AjaxSetting AjaxControlID="CloseNoticeButton">
<UpdatedControls>
<telerik:AjaxUpdatedControl ControlID="AlertPlaceholder" />
</UpdatedControls>
</telerik:AjaxSetting>
</AjaxSettings>
</telerik:RadAjaxManager>
<div style="text-align:center">
<asp:TextBox ID="IDtextbox" runat="server" TextMode="Password"
Font-Size="Large"></asp:TextBox>
<asp:Label ID="Label2" runat="server" Text="Enter Employee Number"></asp:Label>
<asp:TextBox ID="PINtextbox" runat="server" TextMode="Password"
Font-Size="Large" MaxLength="4" Width="120px"></asp:TextBox>
<asp:Label ID="Label3" runat="server" Text="Enter PIN"></asp:Label><br />
<br />
<asp:RegularExpressionValidator ID="RegularExpressionValidator1" runat="server"
ControlToValidate="PINtextbox" ErrorMessage="Please Enter Only Numbers"
ForeColor="Red" ValidationExpression="^\d+$" Display="Dynamic"
ValidationGroup="1"></asp:RegularExpressionValidator>
<asp:RegularExpressionValidator ID="RegularExpressionValidator2" runat="server"
ControlToValidate="IDtextbox" ErrorMessage="Please Enter Only Numbers"
ForeColor="Red" ValidationExpression="^\d+$" Display="Dynamic"
ValidationGroup="1"></asp:RegularExpressionValidator>
<telerik:RadButton ID="RadButton1" runat="server" Text="Log In"
onclick="RadButton1_Click" Height="75px" Width="200px"
Font-Size="XX-Large" ValidationGroup="1" >
</telerik:RadButton>
</div>
<asp:PlaceHolder ID="InButtonPlaceholder" runat="server">
<div style="text-align:center">
<telerik:RadButton ID="InBtn" runat="server" Text="Punch In" onclick="InBtn_Click" Height="75px" Width="200px"
Font-Size="XX-Large" >
</telerik:RadButton>
</div>
</asp:PlaceHolder>
<asp:PlaceHolder ID="OutButtonPlaceholder" runat="server" >
<div style="text-align:center">
<telerik:RadButton ID="OutBtn" runat="server" Text="Punch Out" onclick="OutBtn_Click" Height="75px" Width="200px"
Font-Size="XX-Large" CssClass="LargeButton" >
</telerik:RadButton>
<telerik:RadButton ID="StartBreakBtn" runat="server" Text="Start Break" onclick="StartBreakBtn_Click" Height="75px" Width="200px"
Font-Size="XX-Large" CssClass="LargeButton" >
</telerik:RadButton>
</div>
</asp:PlaceHolder>
<asp:PlaceHolder ID="EndBreakButtonPlaceholder" runat="server"
>
<div style="text-align:center">
<telerik:RadButton ID="EndBreakBtn" runat="server" Text="End Break" onclick="EndBreakBtn_Click" Height="75px" Width="200px"
Font-Size="XX-Large" >
</telerik:RadButton>
</div>
</asp:PlaceHolder><br /><br />
<asp:PlaceHolder ID="MessagePlaceholder" runat="server">
<div style="text-align:center; border:medium solid red;padding:20px">
<div id="div1" runat="server"></div>
<telerik:RadButton ID="ConfirmBtn" runat="server" Text="I have read this message" onclick="ConfirmBtn_Click" Height="75px" Width="550px"
Font-Size="XX-Large" AutoPostBack="True">
</telerik:RadButton>
</div>
</asp:PlaceHolder >
<asp:PlaceHolder ID="AlertPlaceholder" runat="server">
<div style="text-align:center; border:medium solid red;padding:20px">
<asp:Label ID="Label1" runat="server" Text="Note! This is outside your scheduled working hours and may be subject to review by management!"></asp:Label>
<br />
<br />
<telerik:RadButton ID="CloseNoticeButton" runat="server" Text="OK" Height="75px" Width="200px"
Font-Size="XX-Large" onclick="CloseNoticeButton_Click" CausesValidation="False">
</telerik:RadButton>
</div></asp:PlaceHolder>
<br />
<br />
<div style="text-align:center">
<img alt="" src="Images/LgCentralLogo.png" "width:250px height:auto"
width="250px" />
</div>
</form>
的写权限。
如果让initContainer运行/var/opt命令,则会看到您的uid和gid应该为1000000000+:0
在这种情况下,通常的策略是在运行时需要向任何地方写入的根组授予写入权限。这将允许您的运行时用户访问文件,因为尽管uid是随机生成的,但该组始终为0。
不幸的是,许多公共容器映像确实具有开箱即用的配置设置。
您可以在Red Hat基本图像中查看此示例。每个称为fix-permissions的基本容器映像中都有一个脚本,可以在应用程序/用户以后需要写入的任何位置运行该脚本。
在上述情况下,以下代码用于调整权限,以便以后ID为1000000000+:0的任意用户都可以向其写入。
id如果要在群集级别调整这些值,请在Project Config和Security Allocator Configuration部分的主控主机上的master-config.yml中设置UIDAllocatorRange的配置。
您还可以通过openshift.io/sa.scc.uid-range注释修改生成的uid的行为。可以在Understanding Pre-allocated Values and Security Context Constraints部分中找到讨论此问题的文档。