[英]'realpath(): Permission denied' when running dotnet ef command as non-root in dotnet/sdk:3.1-bullseye container on k8s
A container meant to run database migrations works locally, on Docker for Mac, but fails on Kubernetes, repeatedly logging用于运行数据库迁移的容器在本地工作,在 Mac 上的 Docker 上,但在 Kubernetes 上失败,重复记录
realpath(): Permission denied
Failed to resolve full path of the current executable [/proc/self/exe]
I have an image built from the following Dockerfiles (other descendents of base not included)我有一个从以下 Dockerfiles 构建的图像(不包括 base 的其他后代)
#Dockerfile.base
FROM mcr.microsoft.com/dotnet/sdk:3.1-bullseye
RUN dotnet tool install --global dotnet-ef
ENV PATH="$PATH:/root/.dotnet/tools"
ADD event_processor/dotnet /app
ADD classification_registry/topic_registry /app/topic_registry
WORKDIR /app
and和
#Dockerfile.migrate
FROM app-base
ENV DOTNET_CLI_HOME=/app
RUN addgroup --system --gid 1000 app \
&& adduser --home /app --system --uid 2000 --ingroup app --shell /bin/sh appmigrate
RUN chown -R appmigrate /app
RUN chown -R appmigrate /root/.dotnet/tools
RUN chown -R appmigrate /tmp
USER appmigrate
ENV PATH="$PATH:/app/.dotnet/tools"
RUN dotnet tool install --global dotnet-ef
so if we let unique-image-ref
be a unique tag for this built image, I am able to run the container locally, as I expect with所以如果我们让
unique-image-ref
成为这个构建图像的唯一标签,我就可以在本地运行容器,正如我所期望的那样
$ docker run -it --rm --user 2000 unique-image-ref dotnet-ef database update
Build started...
Build succeeded.
Configuring DB Access for migrations...
No migrations were applied. The database is already up to date.
Done.
So far so good.到目前为止,一切都很好。 The problem arises in the Kubernetes cluster, when a Job is configured to run this container, with the following container definition
问题出现在 Kubernetes 集群中,当一个 Job 配置为运行这个容器时,容器定义如下
containers:
- name: my-app-migration
image: unique-image-ref
imagePullPolicy: Always
workingDir: /app
command: ["dotnet-ef"]
args:
- database
- update
envFrom:
- configMapRef:
name: app-conf
- secretRef:
name: app-secret
restartPolicy: OnFailure
securityContext:
runAsNonRoot: true
runAsUser: 2000
When I examine the logs from the container, I see nothing but the error (at the top of this post).当我检查容器中的日志时,我只看到错误(在这篇文章的顶部)。
Any suggestions would be welcomed.任何建议都会受到欢迎。
I did find a solution, though I cannot articulate exactly how this change effects the fix.我确实找到了解决方案,但我无法准确说明此更改如何影响修复。
containers:
- name: my-app-migration
image: unique-image-ref
imagePullPolicy: Always
workingDir: /app
command: ["/bin/sh"]
args: ["-c", "dotnet-ef --project=Seismic.NotificationEventProcessor.RecoveryQueue database update"]
envFrom:
- configMapRef:
name: app-conf
- secretRef:
name: app-secret
restartPolicy: OnFailure
securityContext:
runAsNonRoot: true
runAsUser: 2000
So the fix is to invoke the command from a new shell , and pass the command to execute as a string (hence -c
).所以解决方法是从新的 shell 调用命令,并将命令作为字符串传递(因此
-c
)。 But realistically, the details of this escape me.但实际上,这个细节让我无法理解。
I hope this helps someone else out with a very obscure error message.我希望这可以帮助其他人解决非常晦涩的错误消息。 If anyone cares to expand on the underlying behavior, I would be glad to understand the relationships among docker, kubernetes, and bash in this regard.
如果有人愿意扩展基本行为,我很高兴了解 docker、kubernetes 和 bash 在这方面的关系。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.