Running an apache container on a port > 1024
Question
I've built a docker image based on httpd:2.4 . In my k8s deployment I've defined the following securityContext :
securityContext:
privileged: false
runAsNonRoot: true
runAsUser: 431
allowPrivilegeEscalation: false
In order to get this container to run properly as non-root apache needs to be configured to bind to a port > 1024, as opposed to the default 80. As far as I can tell this means editing Listen 80 in httpd.conf to Listen {Some port > 1024} .
When I want to run the docker image I've build normally (ie on default port 80) I have the following port settings:
- deployment
-
spec.template.spec.containers[0].ports[0].containerPort: 80
-
- service
-
spec.ports[0].targetPort: 80 -
spec.ports[0].port: 8080
-
- ingress
-
spec.rules[0].http.paths[0].backend.servicePort: 8080
-
Given these settings the service becomes accessible at the host url provided in the ingress manifest. Again, this is without the changes to httpd.conf . When I make those changes (using Listen 8000 ), and add in the securityContext section to the deployment, I change the various manifests accordingly:
- deployment
-
spec.template.spec.containers[0].ports[0].containerPort: 8000
-
- service
-
spec.ports[0].targetPort: 8000 -
spec.ports[0].port: 8080
-
- ingress
-
spec.rules[0].http.paths[0].backend.servicePort: 8080
-
Yet for some reason, when I try to access a URL that should be working I get a 502 Bad Gateway error. Have I set the ports correctly? Is there something else I need to do?
2 answers
solution1
0 2019-07-05 21:47:43
Check if pod is Running
kubectl get pods
kubectl logs pod_name
Check if the URL is accessible within the pod
kubectl exec -it <pod_name> -- bash
$ curl http://localhost:8000
If the above didn't work, check your httpd.conf.
Check with the service name
kubectl exec -it <ingress pod_name> -- bash
$ curl http://svc:8080
You can check ingress logs too.
solution2
0 2019-07-08 08:47:47
In order to get this container to run properly as non-root apache needs to be configured to bind to a port > 1024, as opposed to the default 80
You got it, that's the hard requirement in order to make the apache container running as non-root, therefore this change needs to be done at container level, not to Kubernetes' abstracts like Deployment's Pod spec or Service/Ingress resource object definitions. So the only thing left in your case, is to build a custom httpd image, with listening port > 1024. The same approach applies to the NGINX Docker containers.
One key information for the 'containerPort' field in Pod spec, that you are trying to manually adjust, and which is not so apparent. It's there primarily for informational purposes, and does not cause opening port on container level. According Kubernetes API reference :
Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated.
I hope this will help you to move on
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.