[英]Using docker socket in Kubernetes pod
I want to prune docker images, I wrote a small Docker image using node-docker-api
and I was able to test it locally with success.我想修剪docker 图像,我使用
node-docker-api
编写了一个小的 Docker 图像,并且能够成功地在本地对其进行测试。
As I've deployed the DaemonSet
to Kubernetes, the pod fails to access the Docker socket:由于我已将
DaemonSet
部署到 Kubernetes,因此 pod 无法访问 Docker 套接字:
Error: connect EACCES /var/run/docker.sock
The deployment.yaml
looks as following: deployment.yaml
如下所示:
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
labels:
name: docker-image-cleanup
name: docker-image-cleanup
spec:
template:
metadata:
labels:
app: docker-image-cleanup
spec:
volumes:
- name: docker-sock
hostPath:
path: "/var/run/docker.sock"
type: File
- name: docker-directory
hostPath:
path: "/var/lib/docker"
containers:
- name: docker-image-cleanup
image: image:tag
securityContext:
privileged: true
env:
- name: PRUNE_INTERVAL_SECONDS
value: "30"
- name: PRUNE_DANGLING
value: "true"
volumeMounts:
- mountPath: /var/run/docker.sock
name: docker-sock
readOnly: false
- mountPath: "/var/lib/docker"
name: docker-directory
readOnly: false
Running AKS v1.13.10 - if relevant运行 AKS v1.13.10 - 如果相关
There is no guarantee that your kubernetes cluster is actually using docker as container engine.不能保证您的 kubernetes 集群实际上使用 docker 作为容器引擎。 As there are many alternatives like cri-o and kata containers your application/deployment should make no assumptions about the underlying container engine.
由于有许多替代方案,例如 cri-o 和 kata 容器,因此您的应用程序/部署不应对底层容器引擎做出任何假设。
Kubernetes takes care about cleaning up unused container images automatically. Kubernetes 负责自动清理未使用的容器映像。 See documentation on how to configure it, if you run the cluster yourself: https://kubernetes.io/docs/concepts/cluster-administration/kubelet-garbage-collection/
如果您自己运行集群,请参阅有关如何配置它的文档: https://kubernetes.io/docs/concepts/cluster-administration/kubelet-garbage-collection/
Aside from that it looks like you have a simple permission problem with the socket: Make sure your application in the cleanup container runs as root or has appropriate user to access the socket.除此之外,您似乎对套接字有一个简单的权限问题:确保您在清理容器中的应用程序以 root 身份运行或具有适当的用户来访问套接字。
I've added runAsUser: 0
to the container properties:我已将
runAsUser: 0
添加到容器属性中:
containers:
- name: docker-image-cleanup
image: image:tag
securityContext:
privileged: true
runAsUser: 0
Now it works现在它可以工作了
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.