这是OpenShift Container Platform的 4.3 。
考虑这个Dockerfile。
FROM eclipse-mosquitto
# Create folders
USER root
RUN mkdir -p /mosquitto/data /mosquitto/log
# mosquitto configuration
USER mosquitto
# This is crucial to me
COPY --chown=mosquitto:mosquitto ri45.conf /mosquitto/config/mosquitto.conf
EXPOSE 1883
而且,这是我的
Deployment YAML。apiVersion: apps/v1
kind: Deployment
metadata:
name: mosquitto-broker
spec:
selector:
matchLabels:
app: mosquitto-broker
template:
metadata:
labels:
app: mosquitto-broker
spec:
containers:
- name: mosquitto-broker
image: org/repo/eclipse-mosquitto:1.0.1
imagePullPolicy: Always
resources:
limits:
memory: "128Mi"
cpu: "500m"
volumeMounts:
- name: mosquitto-data
mountPath: /mosquitto/data
- name: mosquitto-log
mountPath: /mosquitto/log
ports:
- name: mqtt
containerPort: 1883
volumes:
- name: mosquitto-log
persistentVolumeClaim:
claimName: mosquitto-log
- name: mosquitto-data
persistentVolumeClaim:
claimName: mosquitto-data
当我使用上述YAML进行
oc create -f时,出现此错误,2020-06-02T07:59:59: Error: Unable to open log file /mosquitto/log/mosquitto.log for writing.也许是权限错误;无法分辨。无论如何,通过 eclipse/mosquitto Dockerfile ,我看到mosquitto是UID和GID为1883的用户。因此,我按照here所述添加了securityContext。securityContext:
fsGroup: 1883
当我使用此修改执行
oc create -f时,出现此错误-securityContext.securityContext.runAsUser: Invalid value: 1883: must be in the ranges: [1002120000, 1002129999]。此approach of adding an
initContainer 设置音量许可对我不起作用,因为我必须是root才能做到这一点。那么,如何使Eclipse mosquitto容器成功写入
/mosquitto/log? 最佳答案
这里有很多事情要解决。
首先,您应该确保确实要将配置文件烘烤到容器镜像中。通常,配置文件通过ConfigMaps或Secrets添加为configuration in cloud-native applications should typically come from the environment(在您的情况下为OpenShift)。
其次,似乎您正在登录PersistentVolume,这也是一个糟糕的做法,因为best practice将登录到stdout。当然,在持久卷上具有应用程序数据(事务日志)很有意义。
至于您的原始问题(鉴于以上两点,该问题不再重要),可以使用SecurityContextContraints(SCC)解决该问题:Managing Security Context Constraints
因此,要解决您的问题,您应该使用/创建正确设置了runAsUser的SCC。
关于docker - 如何获得[1002120000,1002129999]范围内的UID:GID以使其在OpenShift中运行?,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/62144018/