时间戳

首页 > 解决方案 > 如何更改 VolumeMount 的用户和组所有者

kubernetes - 如何更改 VolumeMount 的用户和组所有者

问题描述

我想设置一个 pod,并且在 pod 内运行了两个容器,它们试图访问挂载的文件 /var/run/udspath。在容器 serviceC 中,我需要更改 /var/run/udspath 的文件和组所有者,所以我在 yaml 文件中添加了一个命令。但它不起作用。

kubectl apply 没有抱怨,但没有创建容器 serviceC。如果没有这个“命令:['/bin/sh', '-c', 'sudo chown 1337:1337 /var/run/udspath']”,就可以创建容器。

apiVersion: v1
kind: Service
metadata:
  name: clitool
  labels:
app: httpbin
spec:
  ports:
  - name: http
port: 8000
  selector:
app: httpbin
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  creationTimestamp: null
  name: clitool
spec:
  replicas: 1
  strategy: {}
  template:
metadata:
  annotations:
    sidecar.istio.io/status: '{"version":"1c09c07e5751560367349d807c164267eaf5aea4018b4588d884f7d265cf14a4","initContainers":["istio-init"],"containers":["serviceC"],"volumes":["istio-envoy","istio-certs"],"imagePullSecrets":null}'
  creationTimestamp: null
  labels:
    app: httpbin
    version: v1
spec:
  containers:
  - image: 
    name: serviceA
    imagePullPolicy: IfNotPresent
    volumeMounts:
    - mountPath: /var/run/udspath
      name: sdsudspath
  - image: 
    imagePullPolicy: IfNotPresent
    name: serviceB
    ports:
    - containerPort: 8000
    resources: {}
  - args:
    - proxy
    - sidecar
    - --configPath
    - /etc/istio/proxy
    - --binaryPath
    - /usr/local/bin/envoy
    - --serviceCluster
    - httpbin
    - --drainDuration
    - 45s
    - --parentShutdownDuration
    - 1m0s
    - --discoveryAddress
    - istio-pilot.istio-system:15007
    - --discoveryRefreshDelay
    - 1s
    - --zipkinAddress
    - zipkin.istio-system:9411
    - --connectTimeout
    - 10s
    - --statsdUdpAddress
    - istio-statsd-prom-bridge.istio-system:9125
    - --proxyAdminPort
    - "15000"
    - --controlPlaneAuthPolicy
    - NONE
    env:
    - name: POD_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name
    - name: POD_NAMESPACE
      valueFrom:
        fieldRef:
          fieldPath: metadata.namespace
    - name: INSTANCE_IP
      valueFrom:
        fieldRef:
          fieldPath: status.podIP
    - name: ISTIO_META_POD_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name
    - name: ISTIO_META_INTERCEPTION_MODE
      value: REDIRECT
    image: 
    imagePullPolicy: IfNotPresent
    command: ["/bin/sh"]
    args: ["-c", "sudo chown 1337:1337 /var/run/udspath"]
    name: serviceC
    resources:
      requests:
        cpu: 10m
    securityContext:
      privileged: false
      readOnlyRootFilesystem: true
      runAsUser: 1337
    volumeMounts:
    - mountPath: /etc/istio/proxy
      name: istio-envoy
    - mountPath: /etc/certs/
      name: istio-certs
      readOnly: true
    - mountPath: /var/run/udspath
      name: sdsudspath
  initContainers:
  - args:
    - -p
    - "15001"
    - -u
    - "1337"
    - -m
    - REDIRECT
    - -i
    - '*'
    - -x
    - ""
    - -b
    - 8000,
    - -d
    - ""
    image: docker.io/quanlin/proxy_init:180712-1038
    imagePullPolicy: IfNotPresent
    name: istio-init
    resources: {}
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
      privileged: true
  volumes:
  - name: sdsudspath
    hostPath:
      path: /var/run/udspath
  - emptyDir:
      medium: Memory
    name: istio-envoy
  - name: istio-certs
    secret:
      optional: true
      secretName: istio.default
status: {}
---

kubectl describe pod xxx 表明

  serviceC:
    Container ID:  
    Image:         
    Image ID:      
    Port:          <none>
    Command:
      /bin/sh
    Args:
      -c
      sudo chown 1337:1337 /var/run/udspath
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Mon, 30 Jul 2018 10:30:04 -0700
      Finished:     Mon, 30 Jul 2018 10:30:04 -0700
    Ready:          False
    Restart Count:  2
    Requests:
      cpu:  10m
    Environment:
      POD_NAME:                      clitool-5d548b856-6v9p9 (v1:metadata.name)
      POD_NAMESPACE:                 default (v1:metadata.namespace)
      INSTANCE_IP:                    (v1:status.podIP)
      ISTIO_META_POD_NAME:           clitool-5d548b856-6v9p9 (v1:metadata.name)
      ISTIO_META_INTERCEPTION_MODE:  REDIRECT
    Mounts:
      /etc/certs/ from certs (ro)
      /etc/istio/proxy from envoy (rw)
      /var/run/udspath from sdsudspath (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-g2zzv (ro)

标签: kubernetes

解决方案

更多信息会有所帮助。就像你得到什么错误一样。

不过,这实际上取决于 ServiceC 的 dockerfile 入口点或 cmd 中定义的内容。

docker和kubernetes之间的映射:

Docker Entrypoint --> Pod command(容器运行的命令) Docker cmd --> Pod args(传递给命令的参数)

https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/

推荐阅读