在端口> 1024上运行apache容器
[英]Running an apache container on a port > 1024
问题描述
I've built a docker image based on httpd:2.4 . 
我已经基于httpd:2.4构建了一个docker镜像。 In my k8s deployment I've defined the following securityContext : 在我的k8s部署中,我定义了以下securityContext :
securityContext:
privileged: false
runAsNonRoot: true
runAsUser: 431
allowPrivilegeEscalation: false
In order to get this container to run properly as non-root apache needs to be configured to bind to a port > 1024, as opposed to the default 80. As far as I can tell this means editing Listen 80 in httpd.conf to Listen {Some port > 1024} . 为了使此容器正常运行,因为需要将非root apache配置为绑定到端口> 1024,而不是默认端口80。据我所知,这意味着在httpd.conf中将Listen 80编辑为Listen {Some port > 1024} 。
When I want to run the docker image I've build normally (ie on default port 80) I have the following port settings: 当我想运行正常构建的docker映像时(即在默认端口80上),我具有以下端口设置:
- deployment 部署
-
spec.template.spec.containers[0].ports[0].containerPort: 80spec.template.spec.containers[0].ports[0].containerPort:80
-
- service 服务
-
spec.ports[0].targetPort: 80spec.ports[0].targetPort:80 -
spec.ports[0].port: 8080spec.ports[0].port:8080
-
- ingress 入口
-
spec.rules[0].http.paths[0].backend.servicePort: 8080spec.rules[0].http.paths[0].backend.servicePort:8080
-
Given these settings the service becomes accessible at the host url provided in the ingress manifest. 有了这些设置,就可以通过入口清单中提供的主机URL访问该服务。 Again, this is without the changes to httpd.conf . 同样,这没有更改httpd.conf 。 When I make those changes (using Listen 8000 ), and add in the securityContext section to the deployment, I change the various manifests accordingly: 当我进行了这些更改(使用Listen 8000 ),并将securityContext部分添加到部署中时,我相应地更改了各种清单:
- deployment 部署
-
spec.template.spec.containers[0].ports[0].containerPort: 8000spec.template.spec.containers[0].ports[0].containerPort:8000
-
- service 服务
-
spec.ports[0].targetPort: 8000spec.ports[0].targetPort:8000 -
spec.ports[0].port: 8080spec.ports[0].port:8080
-
- ingress 入口
-
spec.rules[0].http.paths[0].backend.servicePort: 8080spec.rules[0].http.paths[0].backend.servicePort:8080
-
Yet for some reason, when I try to access a URL that should be working I get a 502 Bad Gateway error. 但是由于某种原因,当我尝试访问应该正常工作的URL时,出现502 Bad Gateway错误。 Have I set the ports correctly? 我是否正确设置了端口? Is there something else I need to do? 还有什么我需要做的吗?
2 个解决方案
解决方案1
0 2019-07-05 21:47:43
Check if pod is Running 检查Pod是否正在运行
kubectl get pods
kubectl logs pod_name
Check if the URL is accessible within the pod 检查在Pod中是否可以访问该URL
kubectl exec -it <pod_name> -- bash
$ curl http://localhost:8000
If the above didn't work, check your httpd.conf. 如果上述方法无效,请检查您的httpd.conf。
Check with the service name 检查服务名称
kubectl exec -it <ingress pod_name> -- bash
$ curl http://svc:8080
You can check ingress logs too. 您也可以检查入口日志。
解决方案2
0 2019-07-08 08:47:47
In order to get this container to run properly as non-root apache needs to be configured to bind to a port > 1024, as opposed to the default 80
You got it, that's the hard requirement in order to make the apache container running as non-root, therefore this change needs to be done at container level, not to Kubernetes' abstracts like Deployment's Pod spec or Service/Ingress resource object definitions. 知道了,这是使apache容器以非root用户身份运行的艰巨要求,因此,此更改需要在容器级别完成,而不是Kubernetes的抽象(例如Deployment的Pod规范或Service / Ingress资源对象定义)。 So the only thing left in your case, is to build a custom httpd image, with listening port > 1024. The same approach applies to the NGINX Docker containers. 因此,剩下的唯一事情就是构建一个自定义httpd映像,侦听端口>1024。同样的方法适用于NGINX Docker容器。
One key information for the 'containerPort' field in Pod spec, that you are trying to manually adjust, and which is not so apparent. 您正在尝试手动调整Pod规范中“ containerPort”字段的一项关键信息,这种信息并不明显。 It's there primarily for informational purposes, and does not cause opening port on container level. 它在那里的主要目的是为了提供信息,并且不会导致在容器级别打开端口。 According Kubernetes API reference : 根据Kubernetes API 参考 :
Not specifying a port here DOES NOT prevent that port from being exposed.
I hope this will help you to move on 希望这可以帮助您继续前进
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.