我想在openshift上部署apache服务器。我的服务器在本地运行良好,但是在openshift上部署服务器时,遇到以下问题
(13)权限被拒绝:AH00072:make_sock:无法绑定到地址[::]:80 (13)权限被拒绝:AH00072:make_sock:无法绑定到地址0.0.0.0:80
可能的原因可能是apache以root用户身份运行,而openshift不允许这样做!
有人可以帮我吗?
答案 0 :(得分:1)
端口80是保留端口,默认的OpenShift Security Context Constraints不允许容器在该端口上运行。
您应该使用在8080或8443等端口上运行的容器映像。
答案 1 :(得分:0)
尝试以下配置,有关更多详细信息,请参考Enable Container Images that Require Root 。
如果您以default serviceaccount身份运行httpd pod,则可以授予anyuid scc身份以root用户身份运行。您应该重新启动Pod,以使更改生效。
# oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default
# oc adm policy add-scc-to-user anyuid -z default
# oc delete pod <your pod name>
UPDATE :基本上,除非使用hostnetwork scc运行,否则80端口将不会与主机80端口重复。
因为容器使用内核的名称空间功能与主机网络隔离。
我的测试证据如下。
--- haproxy is already running with 80 port on the host.
# ss -ntlpo | grep -w :80
LISTEN 0 128 *:80 *:* users:(("haproxy",pid=22603,fd=6))
--- Create a project for testing
# oc new-project httpd-test
--- Create a httpd pod
# oc new-app --name httpd24 --docker-image=docker.io/httpd
--- Check the state of the pod
# oc get pod
NAME READY STATUS RESTARTS AGE
httpd24-1-hhp6g 0/1 CrashLoopBackOff 8 19m
# oc logs httpd24-1-hhp6g
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.128.1.201. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
--- Configure "anyuid" for running the httpd pod with 80 port
# oc get pod httpd24-1-hhp6g -o yaml | grep -wi serviceaccountname
serviceAccountName: default
# oc adm policy add-scc-to-user anyuid -z default
scc "anyuid" added to: ["system:serviceaccount:httpd-test:default"]
# oc delete pod httpd24-1-hhp6g
pod "httpd24-1-hhp6g" deleted
--- Check the state of httpd pod again
# oc get pod
NAME READY STATUS RESTARTS AGE
httpd24-1-9djkv 1/1 Running 0 1m
# oc logs httpd24-1-9djkv
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.128.1.202. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.128.1.202. Set the 'ServerName' directive globally to suppress this message
[Mon May 06 12:10:47.487909 2019] [mpm_event:notice] [pid 1:tid 139699524075584] AH00489: Apache/2.4.39 (Unix) configured -- resuming normal operations
[Mon May 06 12:10:47.488232 2019] [core:notice] [pid 1:tid 139699524075584] AH00094: Command line: 'httpd -D FOREGROUND'
希望它能对您有所帮助。
答案 2 :(得分:0)
我鼓励您使用基于rhel7的Apache服务器现有映像
registry.redhat.io/rhscl/httpd-24-rhel7
这些映像支持S2I,公开端口8080,并且可以与任何UID(不是root)一起运行。您可以使用以下模板:https://github.com/openshift/library/blob/master/official/httpd/imagestreams/httpd-rhel7.json