OCI运行时创建失败:container_linux.go:345

时间:2020-02-21 13:06:20

标签: docker go github google-kubernetes-engine github-actions

当前,我们正在从GitLab迁移到GitHub,并且我们决定将CI / CD流程移至GitHub操作。管道过程的工作原理很吸引人,但是当GKE尝试旋转新推送的图像时,它会返回此错误:

'OCI runtime create failed: container_linux.go:345: starting container process caused "exec: \"/socket-server\": permission denied": unknown'

重要的是要在此指出整个过程都在GitLab上进行。无论如何,GitHub工作流yaml文件看起来像这样:

name: Build and deploy
on:
  - push
  - pull_request

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - uses: fusion-engineering/setup-git-credentials@v2
        with:
          credentials: https://${{ secrets.MACHINE_ACCOUNT_ACCESS_TOKEN }}:x-oauth-basic@github.com/

      - name: Setup environment
        shell: bash
        run: |
          echo "::set-env name=GOPATH::${{ github.workspace }}/go"
          echo "::add-path::${{ github.workspace }}/go/bin"

      - name: Install Go
        uses: actions/setup-go@v1
        with:
          go-version: 1.12.4

      - name: Checkout code
        uses: actions/checkout@v2
        with:
          path: go/src/github.com/${{ github.repository }}

      - name: Prepare environment
        run: |
          cd $GOPATH/src/github.com/${{ github.repository }}
          make prepare

      - name: Format code
        run: |
          cd $GOPATH/src/github.com/${{ github.repository }}
          make fmt && git diff --exit-code

      - name: Lint code
        run: |
          cd $GOPATH/src/github.com/${{ github.repository }}
          make lint

      - name: Vet code
        run: |
          cd $GOPATH/src/github.com/${{ github.repository }}
          make vet

      - name: Test code
        run: |
          cd $GOPATH/src/github.com/${{ github.repository }}
          make cover

      - name: Build code
        run: |
          cd $GOPATH/src/github.com/${{ github.repository }}
          make build

      - name: Upload artifact
        uses: actions/upload-artifact@v1
        with:
          name: socket-server
          path: go/src/github.com/${{ github.repository }}/socket-server

  deploy:
    name: Deploy
    runs-on: ubuntu-latest
    needs: [build]
    if: contains(github.ref, 'refs/tags')

    steps:
      - name: Set release version
        run: echo ::set-env name=CI_COMMIT_TAG::${GITHUB_REF/refs\/tags\//}

      - name: Checkout code
        uses: actions/checkout@v2

      - name: Get artifact from build step
        uses: actions/download-artifact@v1
        with:
          name: socket-server

      - name: Set ci auth
        run: echo ::set-env name=CI_AUTH::$(cat ci_auth.json | base64)

      - uses: GoogleCloudPlatform/github-actions/setup-gcloud@master
        with:
          service_account_key: ${{ env.CI_AUTH }}

      - name: Configure gcloud docker authentication
        run: |
          gcloud config set project foo
          gcloud auth configure-docker

      - name: Build, push and deploy container
        run: |
          bash deploy.sh

deploy.sh文件如下:

#!/bin/bash

if [[ -z "${CI_COMMIT_TAG}" ]]; then
    echo "CI_COMMIT_TAG is empty, this stage should not run"
    exit 0
fi

export ENV="stage"

if [[ "$CI_COMMIT_TAG" != "${CI_COMMIT_TAG%-release}" ]]; then
    export ENV="prod"
fi

echo "Current environment: $ENV"

make deploy

Makefile中的部署步骤如下:

deploy:
    ( echo "cat <<EOF" ; cat k8s.yml.template; ) | sh > k8s-${ENV}.yml
    docker build --no-cache \
    --build-arg RELEASE=${CI_COMMIT_TAG} \
    --build-arg ENV=${ENV} \
    -t gcr.io/foo/socket-server:${CI_COMMIT_TAG} .
    docker push gcr.io/foo/socket-server:${CI_COMMIT_TAG}
    gcloud container clusters get-credentials api-${ENV} --zone=europe-west1-b
    kubectl apply -f k8s-${ENV}.yml

Dockerfile看起来像这样:

FROM alpine:latest as certs
RUN apk --update add ca-certificates

FROM scratch
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

ARG RELEASE
ARG ENV

ADD ./socket-server /socket-server
ADD ./config.yml /config.yml
ADD ./dbconfig.yml /dbconfig.yml
ADD ./migrations /migrations

ENV SOCKET_SERVER_SENTRY_DSN https://foo@sentry.io/bar
ENV SOCKET_SERVER_SENTRY_RELEASE $RELEASE
ENV SOCKET_SERVER_SENTRY_ENVIRONMENT $ENV

CMD ["/socket-server", "--port", "9345", "--host", ""]

我已经尝试在管道上以及Dockerfile(as suggested here)中chmod +x socket-server。当我在Dockerfile中执行此操作时,它失败并显示以下错误:

Step 14/15 : RUN chmod +x socket-server
 ---> Running in 9c66aef0c35b
OCI runtime create failed: container_linux.go:349: starting container process caused "exec: \"/bin/sh\": stat /bin/sh: no such file or directory": unknown

我是不是在GitHub工作流程中缺少某些东西,还是有人看到我看不到的东西?感谢您的帮助!

2 个答案:

答案 0 :(得分:0)

您可以在另一个包含chmod二进制文件的阶段中运行chmod,然后将具有更正权限的文件复制到基于刮擦的最终阶段:

FROM alpine:latest as certs
RUN apk --update add ca-certificates

FROM alpine:latest as binaries
COPY ./socket-server /socket-server
RUN chmod 755 /socket-server

FROM scratch
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

COPY --from=binaries /socket-server /
COPY ./config.yml /config.yml
COPY ./dbconfig.yml /dbconfig.yml
COPY ./migrations /migrations

ARG RELEASE
ARG ENV

ENV SOCKET_SERVER_SENTRY_DSN https://foo@sentry.io/bar
ENV SOCKET_SERVER_SENTRY_RELEASE $RELEASE
ENV SOCKET_SERVER_SENTRY_ENVIRONMENT $ENV

CMD ["/socket-server", "--port", "9345", "--host", ""]

请注意,由于您不想解压缩binaries / yml文件或从远程http服务器提取它们,因此我也已从ADD切换为COPY。而且我还将ARG条目移到了您使用它们的位置,以避免过早破坏缓存(这里不是问题,但与RUN命令有关)。

答案 1 :(得分:0)

因此,我发现上载的工件被管道放置在一个文件夹中。因此socket-server是目录,而不是预期的可执行文件。我通过更改此方法进行了修复:

- name: Get artifact from build step
        uses: actions/download-artifact@v1
        with:
          name: socket-server


- name: Get artifact from build step
        uses: actions/download-artifact@v1
        with:
          name: socket-server
          path: .
相关问题
最新问题