堆栈内存溢出
  简体   繁体   English

在 Kubernetes 吊舱中使用 docker 插座

[英]Using docker socket in Kubernetes pod

 原文  2019-10-30 09:17:53       docker/ kubernetes/ azure-aks/ kubernetes-pod

问题描述

I want to prune docker images, I wrote a small Docker image using node-docker-api and I was able to test it locally with success.我想修剪docker 图像,我使用node-docker-api编写了一个小的 Docker 图像,并且能够成功地在本地对其进行测试。
As I've deployed the DaemonSet to Kubernetes, the pod fails to access the Docker socket:由于我已将DaemonSet部署到 Kubernetes,因此 pod 无法访问 Docker 套接字:

Error: connect EACCES /var/run/docker.sock

The deployment.yaml looks as following: deployment.yaml如下所示:

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  labels:
    name: docker-image-cleanup
  name: docker-image-cleanup
spec:
  template:
    metadata:
      labels:
        app: docker-image-cleanup 
    spec:
      volumes:
        - name: docker-sock
          hostPath:
            path: "/var/run/docker.sock"
            type: File
        - name: docker-directory
          hostPath:
            path: "/var/lib/docker"

      containers:
        - name: docker-image-cleanup
          image: image:tag
          securityContext:
            privileged: true
          env:
            - name: PRUNE_INTERVAL_SECONDS
              value: "30"
            - name: PRUNE_DANGLING
              value: "true"
          volumeMounts:
            - mountPath: /var/run/docker.sock
              name: docker-sock
              readOnly: false
            - mountPath: "/var/lib/docker"
              name: docker-directory
              readOnly: false

Running AKS v1.13.10 - if relevant运行 AKS v1.13.10 - 如果相关

2 个解决方案

解决方案1
 2  2019-10-30 09:27:02

There is no guarantee that your kubernetes cluster is actually using docker as container engine.不能保证您的 kubernetes 集群实际上使用 docker 作为容器引擎。 As there are many alternatives like cri-o and kata containers your application/deployment should make no assumptions about the underlying container engine.由于有许多替代方案,例如 cri-o 和 kata 容器,因此您的应用程序/部署不应对底层容器引擎做出任何假设。

Kubernetes takes care about cleaning up unused container images automatically. Kubernetes 负责自动清理未使用的容器映像。 See documentation on how to configure it, if you run the cluster yourself: https://kubernetes.io/docs/concepts/cluster-administration/kubelet-garbage-collection/如果您自己运行集群,请参阅有关如何配置它的文档: https://kubernetes.io/docs/concepts/cluster-administration/kubelet-garbage-collection/

Aside from that it looks like you have a simple permission problem with the socket: Make sure your application in the cleanup container runs as root or has appropriate user to access the socket.除此之外,您似乎对套接字有一个简单的权限问题:确保您在清理容器中的应用程序以 root 身份运行或具有适当的用户来访问套接字。

解决方案2
 0 已采纳  2019-10-30 10:47:00

I've added runAsUser: 0 to the container properties:我已将runAsUser: 0添加到容器属性中:

containers:
  - name: docker-image-cleanup
    image: image:tag
    securityContext:
      privileged: true
      runAsUser: 0

Now it works现在它可以工作了

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用docker deamon连接到Kubernetes kops pod - connecting to Kubernetes kops pod using docker deamon 使用 Kops + Docker 1.11 在 Kubernetes pod 中设置 sysctl 密钥 - Set sysctl key in Kubernetes pod using Kops + Docker 1.11 在 jenkins 管道中,在 azure kubernetes 服务的 Kubernetes pod 中执行 docker build 时,unix 上出现问题 Docker 守护进程套接字 - In jenkins pipeline getting issue Docker daemon socket at unix when doing docker build in Kubernetes pod of azure kubernetes services Kubernetes Pod中的Docker容器无法通信 - Docker Containers in Kubernetes pod not communicating Pod 内的 Kubernetes Docker 进程 - Kubernetes Docker process inside pod 如何在 Docker 中访问 Kubernetes Pod? - How to access a Kubernetes Pod in Docker? Docker图像内容在POD中不可用(Docker / Kubernetes) - Docker Image content not available in POD (Docker/Kubernetes) 如何使用 docker 容器创建 kubernetes pod - how to create kubernetes pod with docker container Kubernetes:Docker pod启动失败,除了一个 - Kubernetes: Docker pod starting fails except one Kubernetes:将Pod ID和部署ID发送给Docker - Kubernetes: Send a Pod Id and Deployment Id to Docker
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM