《OpenShift 4.x HOL教程汇总》
说明:本文已经在OpenShift 4.9环境中验证
Docker缺省可以使用root身份运行容器中服务。出于安全,这在OpenShift中缺省是不被允许的。不过可以通过设置OpenShift的SCC的缺省配置,来运行这种不能正常运行的容器镜像。
- 运行HTTP容器
$ oc new-project http
$ oc new-app --docker-image=httpd:2.4.17
- 查看pod状态,确认已经是“CrashLoopBackOff”状态。
$ oc get pod -w
NAME READY STATUS RESTARTS AGE
httpd-1-deploy 0/1 Completed 0 5s
httpd-1-frz4v 1/1 Running 0 3s
httpd-1-frz4v 0/1 Error 0 4s
httpd-1-frz4v 0/1 Error 1 5s
httpd-1-frz4v 0/1 CrashLoopBackOff 1 6s
- 查看pod的日志,确认它缺省是运行80端口上。但是由于需要有root权限,所以提示“Permission denied”。
$ oc log pod/httpd-1-frz4v
…
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
- 为http项目提权。
$ oc adm policy add-scc-to-user anyuid -z default -n http
securitycontextconstraints.security.openshift.io/anyuid added to: ["system:serviceaccount:http:default"]
- 删除出问题的Pod
$ oc delete pod httpd-1-frz4v
- 查看自动部署的新Pod实例,确认已经是Running状态。
$ oc get pod
NAME READY STATUS RESTARTS AGE
httpd-1-deploy 0/1 Completed 0 2m46s
httpd-1-mwx4x 1/1 Running 0 13s