最近业务上遇到一个需要在Container内部挂载NFS的需求。
运行一个Centos7 镜像的容器,然后在容器内执行Mount命令报错:
# 启动容器
docker run -itd centos:7
# 在容器内部执行
[root@f1e55cabed84 /]# yum install nfs-utils
[root@f1e55cabed84 /]# showmount -e 10.10.10.10
Export list for 10.10.10.10:
/nfs-data *
[root@f1e55cabed84 /]# mount -t nfs 10.10.10.10:/nfs-data /nfs
mount.nfs: rpc.statd is not running but is required for remote locking.
mount.nfs: Either use '-o nolock' to keep locks local, or start statd.
mount.nfs: an incorrect mount option was specified
最后才知道是因为容器的权限不足导致的,因此可以在启动容器时添加命令 --cap-add sys_admin :
# 启动容器
docker run --cap-add sys_admin -itd centos:7
# 在容器内执行挂载
[root@0147446f5774 /]# yum install -y nfs-utils
[root@0147446f5774 /]# mkdir /nfs-data
[root@0147446f5774 /]# mount -t nfs 10.10.10.10:/nfs-data /nfs-data
[root@0147446f5774 /]# df -h
Filesystem Size Used Avail Use% Mounted on
overlay 50G 8.9G 42G 18% /
tmpfs 64M 0 64M 0% /dev
tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup
shm 64M 0 64M 0% /dev/shm
/dev/mapper/vg-root 50G 8.9G 42G 18% /etc/hosts
tmpfs 3.9G 0 3.9G 0% /proc/acpi
tmpfs 3.9G 0 3.9G 0% /proc/scsi
tmpfs 3.9G 0 3.9G 0% /sys/firmware
10.10.10.10:/nfs-data 50G 6.2G 44G 13% /nfs-data
如果是Kubernetes环境,需要在Pod中添加securityContext配置
apiVersion: v1
kind: Pod
metadata:
name: nfs-client
spec:
containers:
- name: centos
image: "centos:7"
command: ["sleep", "10000"]
securityContext:
capabilities:
add:
- SYS_ADMIN