docker - 如何在 [1002120000, 1002129999] 范围内获取 UID:GID 以使其在 OpenShift 中运行？

问题描述

这适用于 OpenShift Container Platform 4.3。

考虑一下Dockerfile。

FROM eclipse-mosquitto

# Create folders
USER root

RUN mkdir -p /mosquitto/data /mosquitto/log

# mosquitto configuration
USER mosquitto

# This is crucial to me
COPY --chown=mosquitto:mosquitto ri45.conf /mosquitto/config/mosquitto.conf

EXPOSE 1883

而且，这是我的DeploymentYAML。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mosquitto-broker
spec:
  selector:
    matchLabels:
      app: mosquitto-broker
  template:
    metadata:
      labels:
        app: mosquitto-broker
    spec:
      containers:
        - name: mosquitto-broker
          image: org/repo/eclipse-mosquitto:1.0.1
          imagePullPolicy: Always
          resources:
            limits:
              memory: "128Mi"
              cpu: "500m"
          volumeMounts:
            - name: mosquitto-data
              mountPath: /mosquitto/data
            - name: mosquitto-log
              mountPath: /mosquitto/log
          ports:
            - name: mqtt
              containerPort: 1883
      volumes:
        - name: mosquitto-log
          persistentVolumeClaim:
            claimName: mosquitto-log
        - name: mosquitto-data
          persistentVolumeClaim:
            claimName: mosquitto-data

当我oc create -f使用上述 YAML 进行操作时，我收到此错误，2020-06-02T07:59:59: Error: Unable to open log file /mosquitto/log/mosquitto.log for writing. 也许这是一个权限错误；不能说。无论如何，通过eclipse/mosquitto Dockerfile，我看到这mosquitto是一个具有 UID 和 GID 的用户1883。所以，我按照这里securityContext的描述添加了。

securityContext:
  fsGroup: 1883

当我进行oc create -f此修改时，我收到此错误 - securityContext.securityContext.runAsUser: Invalid value: 1883: must be in the ranges: [1002120000, 1002129999]。

这种添加initContainer设置权限的方法对我不起作用，因为我必须root这样做。

那么，如何使 Eclipse mosquitto 容器能够/mosquitto/log成功写入呢？

标签： dockerfilesystemsopenshiftaclmosquitto