问题:将 Artifactory 部署为 Kubernetes 中的部署。VolumeMounts 正在作为 drwxr-sr-x 的 root:artifact 和权限进行挂载
/var/opt/jfrog/artifactory
drwxr-sr-x 2 root artifact 4096 Jan 24 17:52 etc
/var/opt/jfrog/artifactory/etc
-rw-r--r-- 1 root artifact 1048 Jan 24 17:48 artifactory.config.import.yml
-rw-r--r-- 1 root artifact 12703 Jan 24 17:48 artifactory.system.properties
预期:卷装载应作为项目装载 项目:具有读写权限的项目
由于限制,Kubernetes 清单文件不完整
spec:
securityContext:
runAsUser: 1030
runAsGroup: 1030
fsGroup: 1030
volumeMounts:
- name: artifactory-volume
mountPath: "/var/opt/jfrog/artifactory"
- name: bootstrap
mountPath: "/var/opt/jfrog/artifactory/etc/artifactory.config.import.yml"
subPath: bootstrap
- name: artifactory-system-properties
mountPath: "/var/opt/jfrog/artifactory/etc/artifactory.system.properties"
subPath: artifactory.system.properties
resources:
limits:
cpu: "3"
memory: 6Gi
requests:
cpu: "2"
memory: 4Gi
volumes:
- name: bootstrap
secret:
secretName: artifactory6170-artifactory
- name: artifactory-system-properties
configMap:
name: artifactory6170-artifactory-system-properties
- name: artifactory-volume
persistentVolumeClaim:
claimName: artifactory6170-artifactory
Kubernetes 版本:
Server Version: version.Info{
Major: "1",
Minor: "14",
GitVersion: "v1.14.1",
GitCommit: "b7394102d6ef778017f2ca4046abbaa23b88c290",
GitTreeState: "clean",
BuildDate: "2019-04-08T17:02:58Z",
GoVersion: "go1.12.1",
Compiler: "gc",
Platform: "linux/amd64"
}
我相信安全上下文涵盖了所需的
runAsUser: 1030
以 1030 身份运行进程
runAsGroup: 1030
指定 runAsGroup 时,创建的任何文件也将归用户 1030 和组 1030 所有。 运行
fsGroup: 1030
附加的任何卷的所有者将是组 ID 1099 的所有者。
码头工人文件路径
不知道为什么容器会出现错误的用户所有权,任何帮助将不胜感激。
错误:
kubectl logs artifactory6170-artifactory-756cffb9-68zjj
2020-01-26 12:28:13 [719 entrypoint-artifactory.sh] Preparing to run Artifactory in Docker
2020-01-26 12:28:13 [720 entrypoint-artifactory.sh] Running as uid=1030(artifactory) gid=1030(artifactory) groups=1030(artifactory)
2020-01-26 12:28:13 [57 entrypoint-artifactory.sh] Dockerfile for this image can found inside the container.
2020-01-26 12:28:13 [58 entrypoint-artifactory.sh] To view the Dockerfile: 'cat /docker/artifactory-pro/Dockerfile.artifactory'.
2020-01-26 12:28:13 [63 entrypoint-artifactory.sh] Checking open files and processes limits
2020-01-26 12:28:13 [66 entrypoint-artifactory.sh] Current max open files is 1048576
2020-01-26 12:28:13 [78 entrypoint-artifactory.sh] Current max open processes is unlimited
2020-01-26 12:31:13 [211 entrypoint-artifactory.sh] Testing directory /var/opt/jfrog/artifactory has read/write permissions for user 'artifactory' (id 1030)
/entrypoint-artifactory.sh: line 180: /var/opt/jfrog/artifactory/etc/test-permissions: Permission denied
2020-01-26 12:31:13 [229 entrypoint-artifactory.sh] ###########################################################
2020-01-26 12:31:13 [230 entrypoint-artifactory.sh] /var/opt/jfrog/artifactory DOES NOT have proper permissions for user 'artifactory' (id 1030)
2020-01-26 12:31:13 [231 entrypoint-artifactory.sh] Directory: /var/opt/jfrog/artifactory, permissions: 2775, owner: artifactory, group: artifactory
2020-01-26 12:31:13 [232 entrypoint-artifactory.sh] Mounted directory must have read/write permissions for user 'artifactory' (id 1030)
2020-01-26 12:31:13 [233 entrypoint-artifactory.sh] ###########################################################
2020-01-26 12:31:13 [47 entrypoint-artifactory.sh] ERROR: Directory /var/opt/jfrog/artifactory has bad permissions for user 'artifactory' (id 1030)
我所要做的就是添加一个 initContainer 并将 Configmaps 挂载到/tmp 并将其移动到必要的路径/var/opt/jfrog/artifactory/etc/,而不是将配置映射挂载在卷挂载/var/opt/jfrog/artifactory 中。
原因:ConfigMaps 是只读的,因此/etc 过去是,将来也永远是只读的。
initContainers:
- name: "grant-permissions"
image: "busybox:1.26.2"
securityContext:
runAsUser: 0
imagePullPolicy: "IfNotPresent"
command:
- 'sh'
- '-c'
- 'mkdir /var/opt/jfrog/artifactory/etc ; cp -vf /tmp/artifactory* /var/opt/jfrog/artifactory/etc ; chown -R 1030:1030 /var/opt/jfrog/ ; rm -rfv /var/opt/jfrog/artifactory/lost+found'
volumeMounts:
- mountPath: "/var/opt/jfrog/artifactory"
name: artifactory-volume
- name: bootstrap
mountPath: "/tmp/artifactory.config.import.yml"
subPath: bootstrap
readOnly: false
- name: artifactory-system-properties
mountPath: "/tmp/artifactory.system.properties"
subPath: artifactory.system.properties
readOnly: false
然后将卷装载到运行工件的主容器
containers:
- name: artifactory
image: "registry.eu02.dsg.arm.com/sqa/artifactory-pro:6.17.0"
volumeMounts:
- name: artifactory-volume
mountPath: "/var/opt/jfrog/artifactory"
如此处、此处、此处和此处所述,您无法更改挂载目录的权限。
作为解决方法,您可以使用在实际容器之前运行的initContainer
来更改对目录的权限:
initContainers:
- name: volume-mount
image: busybox
command: ["sh", "-c", "chown -R 1030:1030 <your_directory>"]
volumeMounts:
- name: <your volume>
mountPath: <your mountPath>