堆栈内存溢出
  简体   繁体   English

在 Kubernetes 上运行 Azure 以 podman 作为无特权容器的自托管代理

[英]Run Azure Self-hosted agent with podman as unpriviliged container on Kubernetes

 原文  2022-08-03 08:13:42       azure/ kubernetes/ containers/ podman

问题描述

I am deploying an Azure Self hosted agent on a Kubernetes Cluster 1.22+ following steps in: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/docker?view=azure-devops#linuxInstructions I am deploying an Azure Self hosted agent on a Kubernetes Cluster 1.22+ following steps in: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/docker?view=azure-devops#linuxInstructions

I am adding podman to self hosted agent as container manager, following code is added to self hosted agent Dockerfile:我将 podman 添加到自托管代理作为容器管理器,以下代码添加到自托管代理 Dockerfile:

# install podman
ENV VERSION_ID=20.04

RUN apt-get update -y && apt-get install curl wget gnupg2 -y && . ./etc/os-release && sh -c "echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list" && wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_${VERSION_ID}/Release.key -O- | apt-key add - && apt-get update -y && apt-get -y install podman && podman --version

Everything runs smoothly when running the container in privileged mode.在特权模式下运行容器时,一切运行顺利。

...
        securityContext:
          privileged: true
...

When swith to privileged: false and try to connect to podman, I get following error当切换到privileged: false并尝试连接到 podman 时,我收到以下错误

level=warning msg="\"/\" is not a shared mount, this could cause issues or missing mounts with rootless containers"
Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: permission denied

the Command I use for connecting is:我用于连接的命令是:

podman login private.container.registry \
    --username $USER \
    --password $PASS \
    --storage-opt mount_program=/usr/bin/fuse-overlayfs

How can I use podman with unprivileged mode?如何在非特权模式下使用 podman?

1 个解决方案

解决方案1
 0  2022-08-10 10:22:02

Issue was related to Containerd's apparmor profile denying the mount syscall, I fixed it for now by disabling apparmor for the container while running unprivileged mode问题与 Containerd 的 apparmor 配置文件拒绝mount系统调用有关,我现在通过在运行非特权模式时禁用容器的 apparmor 来修复它

...
  template:
    metadata:
      labels:
        app: vsts-agent-2
      annotations:
        container.apparmor.security.beta.kubernetes.io/kubepodcreation: unconfined
...
        securityContext:
          privileged: false #true

A better way would be creating an apparmor profile that allows the mount and apply it to the container更好的方法是创建一个允许mount并将其应用于容器的 apparmor 配置文件

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure DevOps 自托管容器实例中的代理-.network 规则 - Azure DevOps self-hosted agent in Container instance - network rules 如何在自托管 Windows 代理上从 Azure DevOps 管道运行 Azure CLI 任务? - How to run Azure CLI tasks from an Azure DevOps Pipeline on a Self-Hosted Windows Agent? Azure DevOps 管道 - 如何通过自托管代理在 docker 容器中执行整个模板阶段 - Azure DevOps pipelines - how to execute a whole template stage in a docker container by a self-hosted agent 使用不正确版本的 MSBuild 的自托管代理(用于 Azure 管道) - Self-hosted agent (for Azure pipelines) using incorrect version of MSBuild 将自托管建筑代理重定向到 Azure Devops 服务 - Redirect Self-Hosted Building Agent to Azure Devops Service 安装了 docker 的 Azure Windows 自托管代理 - Azure windows self-hosted agent with docker installed 在自托管的 Azure DevOps Agent 上安装 ChromeDriver - Installing ChromeDriver on self-hosted Azure DevOps Agent Azure DevOps 自托管构建代理 - Kaniko - Azure DevOps self-hosted build agent - Kaniko Azure 管道:在自托管 VM 上运行“npm start” - Azure pipelines: run 'npm start' on a self-hosted VM Azure DevOps 自托管代理 - 如何复制云托管代理? - Azure DevOps Self-Hosted Agent - How to replicate cloud-hosted agents?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM