[英]why I am getting Read only file system error from Nginx?
Dear K8S community Team,亲爱的 K8S 社区团队,
I am getting this error message from nginx when I deploy my application pod.当我部署我的应用程序 pod 时,我从 nginx 收到这条错误消息。 My application an angular6 app is hosted inside an nginx server, which is deployed as a docker container inside EKS.
我的应用程序 angular6 应用程序托管在 nginx 服务器内,该服务器部署为 EKS 内的 docker 容器。
I have my application configured as a “read-only container filesystem”, but I am using “ephemeral mounted” volume of type “emptyDir” in combination with a read-only filesystem.我将我的应用程序配置为“只读容器文件系统”,但我将“emptyDir”类型的“临时安装”卷与只读文件系统结合使用。
So I am not sure the reason of this following error:所以我不确定出现以下错误的原因:
2019/04/02 14:11:29 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (30: Read-only file system) nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (30: Read-only file system)
2019/04/02 14:11:29 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" 失败(30:只读文件系统)nginx: [emerg] mkdir() "/ var/cache/nginx/client_temp" 失败(30:只读文件系统)
My deployment.yaml
is:我的
deployment.yaml
是:
...
spec:
volumes:
- name: tmp-volume
emptyDir: {}
# Pod Security Context
securityContext:
fsGroup: 2000
containers:
- name: {{ .Chart.Name }}
volumeMounts:
- mountPath: /tmp
name: tmp-volume
image: "{{ .Values.image.name }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
securityContext:
readOnlyRootFilesystem: true
ports:
- name: http
containerPort: 80
protocol: TCP
...
nginx.conf is: nginx.conf 是:
...
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Turn off the bloody buffering to temp files
proxy_buffering off;
sendfile off;
keepalive_timeout 120;
server_names_hash_bucket_size 128;
# These two should be the same or nginx will start writing
# large request bodies to temp files
client_body_buffer_size 10m;
client_max_body_size 10m;
...
Seems like your nginx
is not running as root user.似乎您的
nginx
没有以 root 用户身份运行。
Since release 1.12.1-r2
, nginx daemon is being run as user 1001
.从
1.12.1-r2
,nginx 守护进程以用户1001
运行。
1.12.1-r2
1.12.1-r2
The nginx container has been migrated to a non-root container approach.
nginx 容器已经迁移到非 root 容器方式。 Previously the container run as root user and the nginx daemon was started as nginx user.
以前容器以 root 用户身份运行,nginx 守护进程以 nginx 用户身份启动。 From now own, both the container and the nginx daemon run as user 1001. As a consequence, the configuration files are writable by the user running the nginx process.
从现在起,容器和 nginx 守护进程都以用户 1001 的身份运行。因此,运行 nginx 进程的用户可以写入配置文件。
This is why you are unable to bind on port 80
, it's necessary to use port > 1000.这就是为什么您无法绑定端口
80
,必须使用端口 > 1000。
You should use:你应该使用:
ports:
- '80:8080'
- '443:8443'
and edit the nginx.conf so it listens on port 8080:并编辑 nginx.conf 使其侦听端口 8080:
server {
listen 0.0.0.0:8080;
...
Or run nginx as root: command: [ "/bin/bash", "-c", "sudo nginx -g 'daemon off;'" ]
或者以 root 身份运行 nginx:
command: [ "/bin/bash", "-c", "sudo nginx -g 'daemon off;'" ]
As already stated by Crou, the nginx image maintainers switched to a non-root-user-approach.正如 Crou 所说,nginx 图像维护者切换到非 root 用户方法。
This has two implications:这有两个含义:
You can try to change the ports as described by Crou (nginx.conf and deployment.yaml).您可以尝试按照 Crou 的描述更改端口(nginx.conf 和 deployment.yaml)。 Even with the.NET_BIND_SERVICE capability added to the container, this does not neccessarily mean that the nginx process gets this capability.
即使将 .NET_BIND_SERVICE 功能添加到容器中,这也不一定意味着 nginx 进程获得此功能。 You can try to add the capability with
您可以尝试添加功能
$ sudo setcap 'cap_net_bind+p' $(which nginx)
as a RUN instruction in your Dockerfile. However it is usually simpler to just change the listening port.作为 Dockerfile 中的 RUN 指令。但是,仅更改侦听端口通常更简单。
For the filesystem, please note that /var/cache/nginx/
is not mounted as a volume and thus belongs to the RootFS which is mounted as read only.对于文件系统,请注意
/var/cache/nginx/
未挂载为卷,因此属于以只读方式挂载的 RootFS。 The simplest way to solve this, is to add a second epheremal emptyDir for /var/cache/nginx/
in the volumes
section.解决这个问题的最简单方法是在
volumes
部分为/var/cache/nginx/
添加第二个短暂的 emptyDir。 Please make sure, that the nginx user has the file system permissions to read and write this directory.请确保 nginx 用户具有读写该目录的文件系统权限。 This is usually already taken care of by the docker image maintainers as long as you stay with the default locations.
只要您留在默认位置,docker 图像维护者通常已经处理好了。
I recommend you to not switch back to running nginx as root as this might expose you to security vulnerabilities.我建议您不要切换回以 root 身份运行 nginx,因为这可能会使您面临安全漏洞。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.