本文介绍了Docker服务将无法在Container中运行-错误:ulimit:错误设置限制(不允许操作)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在AWS EKS上运行集群.当前运行的Container(StatefulSet POD)内部已安装Docker.

I'm running a cluster on AWS EKS. Container(StatefulSet POD) that currently running has Docker installation inside of it.

我在集群中以Kubernetes StatefulSet的身份运行了该映像.这是我的yaml文件,

I ran this image as Kubernetes StatefulSet in my cluster. Here is my yaml file,

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: jenkins
  labels:
    run: jenkins
spec:
  serviceName: jenkins
  replicas: 1
  selector:
    matchLabels:
      run: jenkins
  template:
    metadata:
      labels:
        run: jenkins
    spec:
      securityContext:
        fsGroup: 1000
      containers:
      - name: jenkins
        image: 99*****.dkr.ecr.<region>.amazonaws.com/<my_jenkins_image>:0.0.3
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
          name: jenkins-port

在此POD内,我无法运行任何给出错误的docker命令:

Inside this POD, I can not run any docker command which gives a ERROR:

在我的研究中,我经历了一些无法解决我的问题的技巧.我列出了我尝试过但未解决的解决方案

In my research, I went through some artcile which did not fix my issue.I have listed down solution that i tried but not fixed in my case

第一个解决方案:(我在容器内跑了) aricle链接

$ sudo service docker stop
$ sudo bash -c "echo \"limit nofile 262144 262144\" >> /etc/init/docker.conf"
$ sudo service docker start

第二个解决方案:(我在容器内跑过了)

ulimit -n 65536 in /etc/init.d/docker

第三种解决方案:** 这似乎是一个更好的答案,我无法将其添加到配置文件中.它说,以特权来运行pod.但是无法在*** Kubernetes StatefulSet * 中添加该选项.因此,我尝试通过在配置文件中添加这样的SecurityContext (securityContext:fsGroup:1000)

Third solution: ** article linkThis seems a far better answer, which i could not add into my configuration file.it says, run pod with as privilaged. But there is no way to add that option in ***Kubernetes StatefulSet* .So I tried by adding a SecurityContext (securityContext:fsGroup: 1000) like this inside configuration file,

spec:
  serviceName: jenkins
  replicas: 1
  selector:
    matchLabels:
      run: jenkins
  template:
    metadata:
      labels:
        run: jenkins
    spec:
      securityContext:
        fsGroup: 1000

它仍然不起作用.

注意:相同的镜像在Docker swarm上工作

任何帮助将不胜感激!

推荐答案

我在Elastic Search中遇到了这个问题,并添加了initContainer可以正常工作.在这种情况下,可能是解决方案:

I had this issue with Elastic Search and adding initContainer worked. In this case it could be the solution:

spec:
  .
  .
  .
  initContainers:
  - name: increase-fd-ulimit
    image: busybox
    command: ["sh", "-c", "ulimit -n 65536"]
    securityContext:
      privileged: true

如果它不起作用,则有一个第二解决此问题的方法,包括创建新的Dockerfile或更改现有的Dockerfile:

If it doesn't work, there is a second way to solve this problem which includes creating a new Dockerfile or changing existing:

FROM 99*****.dkr.ecr.<region>.amazonaws.com/<my_jenkins_image>:0.0.3
RUN ulimit -n 65536
USER 1000

并将securityContext更改为:

and change securityContext to:

  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    capabilities:
      add: ["IPC_LOCK"]

这篇关于Docker服务将无法在Container中运行-错误:ulimit:错误设置限制(不允许操作)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-01 20:41