[英]Run Azure Self-hosted agent with podman as unpriviliged container on Kubernetes
I am deploying an Azure Self hosted agent on a Kubernetes Cluster 1.22+ following steps in: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/docker?view=azure-devops#linuxInstructions I am deploying an Azure Self hosted agent on a Kubernetes Cluster 1.22+ following steps in: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/docker?view=azure-devops#linuxInstructions
I am adding podman to self hosted agent as container manager, following code is added to self hosted agent Dockerfile:我将 podman 添加到自托管代理作为容器管理器,以下代码添加到自托管代理 Dockerfile:
# install podman
ENV VERSION_ID=20.04
RUN apt-get update -y && apt-get install curl wget gnupg2 -y && . ./etc/os-release && sh -c "echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list" && wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_${VERSION_ID}/Release.key -O- | apt-key add - && apt-get update -y && apt-get -y install podman && podman --version
Everything runs smoothly when running the container in privileged mode.在特权模式下运行容器时,一切运行顺利。
...
securityContext:
privileged: true
...
When swith to privileged: false
and try to connect to podman, I get following error当切换到
privileged: false
并尝试连接到 podman 时,我收到以下错误
level=warning msg="\"/\" is not a shared mount, this could cause issues or missing mounts with rootless containers"
Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: permission denied
the Command I use for connecting is:我用于连接的命令是:
podman login private.container.registry \
--username $USER \
--password $PASS \
--storage-opt mount_program=/usr/bin/fuse-overlayfs
How can I use podman with unprivileged mode?如何在非特权模式下使用 podman?
Issue was related to Containerd's apparmor profile denying the mount
syscall, I fixed it for now by disabling apparmor for the container while running unprivileged mode问题与 Containerd 的 apparmor 配置文件拒绝
mount
系统调用有关,我现在通过在运行非特权模式时禁用容器的 apparmor 来修复它
...
template:
metadata:
labels:
app: vsts-agent-2
annotations:
container.apparmor.security.beta.kubernetes.io/kubepodcreation: unconfined
...
securityContext:
privileged: false #true
A better way would be creating an apparmor profile that allows the mount
and apply it to the container更好的方法是创建一个允许
mount
并将其应用于容器的 apparmor 配置文件
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.