Kubernetes Pod 中已安装卷的所有权问题
[英]issue with ownership on mounted volumes in a Kubernetes Pod
问题描述
I am trying to get a stateful PostgreSQL running in a tanzu k8s cluster...
我正在尝试在 tanzu k8s 集群中运行有状态的 PostgreSQL ......
~> kubectl version
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.8", GitCommit:"5575935422cc1cf5169dfc8847cb587aa47bac5a", GitTreeState:"clean", BuildDate:"2021-06-16T13:00:45Z", GoVersion:"go1.15.13", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.8+vmware.1", GitCommit:"3e397df2f5dadadfa35958ec45c14b0e81abc25f", GitTreeState:"clean", BuildDate:"2021-06-21T16:59:40Z", GoVersion:"go1.15.13", Compiler:"gc", Platform:"linux/amd64"}
and have some trouble with it.并且有一些麻烦。
I use a custom image where postgres runs as the postgres user and 3 volumes should be mounted.我使用自定义映像,其中 postgres 以postgres 用户身份运行,并且应该安装3 个卷。 Now it seems k8s mounts those volumes as root:root and due to that the pod never spins up with this error message.现在看来 k8s 将这些卷挂载为root:root ,因此 pod 永远不会出现此错误消息。
> kcl logs statefulset.apps/postgres-stateful
starting up postgres docker image:
postgres -D /opt/db/data/postgres/data
+ echo 'starting up postgres docker image:'
+ echo postgres -D /opt/db/data/postgres/data
+ '[' '!' -d /opt/db/data/postgres/data ']'
+ '[' '!' -O /opt/db/data/postgres/data ']'
+ mkdir -p /opt/db/data/postgres/data
+ chmod 700 /opt/db/data/postgres/data
chmod: changing permissions of '/opt/db/data/postgres/data': Operation not permitted
This relates to the docker-entrypoint.sh running inside the container upon creation.这与创建时在容器内运行的docker-entrypoint.sh有关。 Now I have come to the point where it looks like I have to make sure the container is being run by the postgres user (which is defined in the USER directive of the Dockerfile my custom image is based upon).现在我已经到了看起来我必须确保容器正在由postgres用户运行的地步(这是在我的自定义图像所基于的Dockerfile的USER指令中定义的)。 When I run the image directly (either podman run... or kubectl run... ) everything works.当我直接运行图像( podman run...或kubectl run... )时,一切正常。
I found this thread on the issue which implies this being a solution我在这个问题上找到了这个线程,这意味着这是一个解决方案
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
containers:
# specification of the pod's containers
# ...
securityContext:
fsGroup: 1234
I have adopted this pattern to the statefulSet I am using, but seem not to be able to make it work.我已将这种模式应用于我正在使用的 statefulSet,但似乎无法使其工作。
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: postgres-stateful
labels:
app: postgres
spec:
serviceName: "postgres"
replicas: 1
selector:
matchLabels:
app: postgres
template:
metadata:
labels:
app: postgres
spec:
containers:
- name: postgres
image: docker-dev-local.intern.net/ina/postgresql:14.1-scm-debian-bullseye-build-74-4
envFrom:
- configMapRef:
name: postgres-configuration
ports:
- containerPort: 5432
name: postgresdb
volumeMounts:
- name: pv-data
mountPath: /opt/db/data/postgres/data
- name: pv-backup
mountPath: /opt/db/backup/postgres
- name: pv-arch
mountPath: /opt/db/backup/postgres/arch
securityContext:
runAsUser: 1000 # postgres UID
runAsGroup: 1000
fsGroup: 1000
volumes:
- name: pv-data
persistentVolumeClaim:
claimName: pgdata33-pvc
- name: pv-backup
persistentVolumeClaim:
claimName: pgbackup33-pvc
- name: pv-arch
persistentVolumeClaim:
claimName: pgarch33-pvc
Now I am wondering whether the location of the securityContext (same level as containers & volumes ) may be wrong.现在我想知道securityContext的位置(与containers和volumes相同的级别)是否可能是错误的。 Can anybody kindly advise on this matter?有人可以就此事提出建议吗?
1 个解决方案
解决方案1
0 2022-02-03 20:51:25
fsGroup requires support from the storage. fsGroup需要存储的支持。
As you've confirmed, you are using hostPath volumes.正如您所确认的,您正在使用hostPath卷。
In this case fsGroup is not supposed to work.在这种情况下fsGroup不应该工作。
It's disabled for hostPath for security reasons.出于安全原因,它因hostPath而被禁用。
So yes, generally init container (run under root user) is the only viable option for hostPath .所以是的,通常 init 容器(在 root 用户下运行)是hostPath的唯一可行选项。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.