我正在GKE上为sftp运行atmoz / sftp部署。我成功安装了持久卷并使用configmap为用户安装了公共密钥,但是我无法安装主机密钥,因此每次容器重新启动时,我都会收到一条警告,通知我主机密钥已更改。
我试图将其挂载到/ etc / ssh并更改sshd_config,但没有任何效果-它显示file already exists, overwrite? (y/n),由于它在容器内,所以我无法对其进行操作。
即使我尝试运行命令,例如echo之类的任何命令,容器也会变成CrashLoopBackhOff
我的配置图:
apiVersion: v1
data:
ssh_host_rsa_key: |
<my key>
kind: ConfigMap
metadata:
name: ssh-host-rsa
namespace: default
我的部署Yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
name: sftp
namespace: default
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: sftp
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: sftp
spec:
containers:
- args:
- client::::sftp
env:
- name: sftp
value: "1"
image: atmoz/sftp
imagePullPolicy: IfNotPresent
name: sftp
ports:
- containerPort: 22
name: sftp
protocol: TCP
resources: {}
securityContext:
capabilities:
add:
- SYS_ADMIN
procMount: Default
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /home/client/sftp
name: sftp
- mountPath: /home/client/.ssh/keys
name: sftp-public-keys
- mountPath: /etc/ssh
name: ssh-host-ed25519
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 100
terminationGracePeriodSeconds: 30
volumes:
- name: sftp
persistentVolumeClaim:
claimName: sftp-uat
- configMap:
defaultMode: 420
name: sftp-public-keys
name: sftp-public-keys
- configMap:
defaultMode: 420
name: ssh-host-ed25519
name: ssh-host-ed25519
回声测试:
containers:
- args:
- client::::sftp
env:
- name: sftp
value: "1"
image: atmoz/sftp
command:
- "echo hi"
imagePullPolicy: IfNotPresent
name: sftp
ports:
- containerPort: 22
name: sftp
protocol: TCP
resources: {}
securityContext:
capabilities:
add:
- SYS_ADMIN
procMount: Default
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /home/client/sftp
name: sftp
- mountPath: /home/client/.ssh/keys
name: sftp-public-keys
- mountPath: /etc/ssh
name: ssh-host-ed25519
有什么想法吗?
答案 0 :(得分:2)
“例如,不确定您是否仍在寻找使主机密钥保持不变的方法,但是将主机密钥机密装入其相关的/ etc / ssh /文件似乎对我有用。”
kind: Deployment
...
spec:
template:
spec:
#secrets and config
volumes:
...
- name: sftp-host-keys
secret:
secretName: sftp-host-keys
defaultMode: 0600
...
containers:
#the sftp server itself
- name: sftp
image: atmoz/sftp:latest
...
volumeMounts:
- mountPath: /etc/ssh/ssh_host_ed25519_key
name: sftp-host-keys
subPath: ssh_host_ed25519_key
readOnly: true
- mountPath: /etc/ssh/ssh_host_ed25519_key.pub
name: sftp-host-keys
subPath: ssh_host_ed25519_key.pub
readOnly: true
- mountPath: /etc/ssh/ssh_host_rsa_key
name: sftp-host-keys
subPath: ssh_host_rsa_key
readOnly: true
- mountPath: /etc/ssh/ssh_host_rsa_key.pub
name: sftp-host-keys
subPath: ssh_host_rsa_key.pub
readOnly: true
...
---
apiVersion: v1
kind: Secret
metadata:
name: sftp-host-keys
namespace: sftp
stringData:
ssh_host_ed25519_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
ssh_host_ed25519_key.pub: |
ssh-ed25519 AAAA...
ssh_host_rsa_key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
ssh_host_rsa_key.pub: |
ssh-rsa AAAA...
type: Opaque
答案 1 :(得分:-1)
您面临的错误是因为SSH需要RSA密钥文件[1]上的特殊权限。
最适合您的选择是将configmap挂载为readOnly。为此,将“ readOnly:true”标志添加到您的安装中。它看起来应该像这样[2]:
volumeMounts:
- mountPath: /home/client/sftp
name: sftp
- mountPath: /home/client/.ssh/keys
name: sftp-public-keys
readOnly: true
- mountPath: /etc/ssh
name: ssh-host-ed25519
readOnly: true
此外,“ SYS_ADMIN” [3]的功能应如下所示:
securityContext:
capabilities:
add: ["SYS_ADMIN"]
[1] https://unix.stackexchange.com/questions/257590/ssh-key-permissions-chmod-settings