问题描述
了解如何进行故障排除,以及需要进行什么知识才能对Docker容器访问主机文件的权限问题进行故障排除.
Know how to trouble shoot and what knowledge is required to trouble shoot permission issues of Docker container accessing host files.
通过hostPath访问安装在OpenShift容器内的/var/run/docker.sock导致权限被拒绝.如果将同一容器部署到K8S 1.9.x,则不会发生此问题,因此这是OpenShift特有的问题.
Access to /var/run/docker.sock mounted inside a OpenShift container via hostPath causes permission denied. The issue does not happen if the same container is deployed to K8S 1.9.x, hence it is OpenShift specific issue.
[ec2-user@ip-10-0-4-62 ~]$ ls -laZ /var/run/docker.sock
srw-rw----. root docker system_u:object_r:container_var_run_t:s0 /var/run/docker.sock
[ec2-user@ip-10-0-4-62 ~]$ docker exec 9d0c6763d855 ls -laZ /var/run/docker.sock
srw-rw----. 1 root 1002 system_u:object_r:container_var_run_t:s0 0 Jan 16 09:54 /var/run/docker.sock
https://bugzilla.redhat.com/show_bug.cgi?id=1244634 说svirt_sandbox_file_t RHEL需要SELinux标签,因此请更改标签.
https://bugzilla.redhat.com/show_bug.cgi?id=1244634 says svirt_sandbox_file_t SELinux label is required for RHEL, so changed the label.
$ chcon -Rt container_runtime_t docker.sock
[ec2-user@ip-10-0-4-62 ~]$ ls -aZ /var/run/docker.sock
srw-rw----. root docker system_u:object_r:svirt_sandbox_file_t:s0 /var/run/docker.sock
重新部署容器,但仍然拒绝权限.
Redeploy the container but still permission denied.
$ docker exec -it 9d0c6763d855 curl -ivs --unix-socket /var/run/docker.sock http://localhost/version
* Trying /var/run/docker.sock...
* Immediate connect fail for /var/run/docker.sock: Permission denied
* Closing connection 0
默认情况下,OpenShift不允许hostPath,因此已解决.
OpenShift by default does not allow hostPath so it was addressed.
oc adm policy add-scc-to-user privileged system:serviceaccount:{{ DATADOG_NAMESPACE }}:{{ DATADOG_SERVICE_ACCOUNT }}
我想是SELinux或OpenShift SCC或其他容器/泊坞窗权限引起的,但是需要一个线索来查找原因.
I suppose SELinux or OpenShift SCC or other container/docker permission is causing this but need a clue how to find the cause.
推荐答案
Openshift需要特殊的权限,以允许Pod使用节点中的卷.
Openshift requires special permissions for in order to allow pods to use volumes in nodes.
执行以下操作:
-
创建标准的安全上下文Yaml:
Create standard security-context yaml:
kind: SecurityContextConstraints
apiVersion: v1
metadata:
name: scc-hostpath
allowPrivilegedContainer: true
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
fsGroup:
type: RunAsAny
supplementalGroups:
type: RunAsAny
users:
- my-admin-user
groups:
- my-admin-group
oc create -f scc-hostpath.yam
在此安全上下文中添加"allowHostDirVolumePlugin"特权:
Add the "allowHostDirVolumePlugin" privilege to this security-context:
oc patch scc scc-hostpath -p '{"allowHostDirVolumePlugin": true}'
将广告连播的服务帐户与上述安全上下文相关联
Associate the pod's service account with the above security context
oc adm policy add-scc-to-user scc-hostpath system:serviceaccount:<service_account_name>
这篇关于拒绝访问安装在OpenShift容器中的/var/run/docker.sock的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!