kubernetes:无法使用RW访问的持久卷部署jenkins映像
和库伯内特斯一起,我试图部署詹金斯的形象
- 所以,这是我对我的员工的责任:
[root@pp-tmp-test24 /opt]# df -Th /opt/jenkins.persistent
Filesystem Type Size Used Avail Use% Mounted on
xxx.xxx.xxx.xxx:/VR_C_CS003_NFS_KUBERNETESPV_TMP_PP nfs4 10G 9.5M 10G 1% /opt/jenkins.persistent
- 还有我在这部分的数据
[root@pp-tmp-test24 /opt/jenkins.persistent]# ls -l
total 0
-rwxr-xr-x. 1 root root 0 Oct 2 11:53 newfile
[root@pp-tmp-test24 /opt/jenkins.persistent]# cat newfile
hello
- 这里是我的yaml文件来部署它
我的持续音量
apiVersion: v1
kind: PersistentVolume
metadata:
name: jenkins-pv-nfs
labels:
type: type-nfs
spec:
storageClassName: class-nfs
capacity:
storage: 10Gi
volumeMode: Filesystem
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Recycle
hostPath:
path: /opt/jenkins.persistent
我坚持不懈的努力
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jenkins-pvc-nfs
namespace: ns-jenkins
spec:
storageClassName: class-nfs
volumeMode: Filesystem
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
selector:
matchLabels:
type: type-nfs
还有我的部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: jenkins
namespace: ns-jenkins
spec:
replicas: 1
selector:
matchLabels:
app: jenkins
template:
metadata:
labels:
app: jenkins
spec:
containers:
- image: jenkins
#- image: httpd:latest
name: jenkins
ports:
- containerPort: 8080
protocol: TCP
name: jenkins-web
volumeMounts:
- name: jenkins-persistent-storage
mountPath: /var/foo
volumes:
- name: jenkins-persistent-storage
persistentVolumeClaim:
claimName: jenkins-pvc-nfs
- 在执行
kubectl create-f命令后,一切看起来都很好:
# kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
jenkins-pv-nfs 10Gi RWX Recycle Bound ns-jenkins/jenkins-pvc-nfs class-nfs 37s
# kubectl get pvc -A
NAMESPACE NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
ns-jenkins jenkins-pvc-nfs Bound jenkins-pv-nfs 10Gi RWX class-nfs 35s
# kubectl get pods -A |grep jenkins
ns-jenkins jenkins-5bdb8678c-x6vht 1/1 Running 0 14s
# kubectl describe pod jenkins-5bdb8678c-x6vht -n ns-jenkins
Name: jenkins-5bdb8678c-x6vht
Namespace: ns-jenkins
Priority: 0
Node: pp-tmp-test25.mydomain/172.31.68.225
Start Time: Wed, 02 Oct 2019 11:48:23 +0200
Labels: app=jenkins
pod-template-hash=5bdb8678c
Annotations: <none>
Status: Running
IP: 10.244.5.47
Controlled By: ReplicaSet/jenkins-5bdb8678c
Containers:
jenkins:
Container ID: docker://8a3e4871ed64b371818bac59e24d6912e5d2b13c8962c1639d36797fbce8082e
Image: jenkins
Image ID: docker-pullable://docker.io/jenkins@sha256:eeb4850eb65f2d92500e421b430ed1ec58a7ac909e91f518926e02473904f668
Port: 8080/TCP
Host Port: 0/TCP
State: Running
Started: Wed, 02 Oct 2019 11:48:26 +0200
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/foo from jenkins-persistent-storage (rw)
/var/run/secrets/kubernetes.io/serviceaccount from default-token-dz6cd (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
jenkins-persistent-storage:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: jenkins-pvc-nfs
ReadOnly: false
default-token-dz6cd:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-dz6cd
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 39s default-scheduler Successfully assigned ns-jenkins/jenkins-5bdb8678c-x6vht to pp-tmp-test25.mydomain
Normal Pulling 38s kubelet, pp-tmp-test25.mydomain Pulling image "jenkins"
Normal Pulled 36s kubelet, pp-tmp-test25.mydomain Successfully pulled image "jenkins"
Normal Created 36s kubelet, pp-tmp-test25.mydomain Created container jenkins
Normal Started 36s kubelet, pp-tmp-test25.mydomain Started container jenkins
- 在我的工人身上,这是我的容器
# docker ps |grep jenkins
8a3e4871ed64 docker.io/jenkins@sha256:eeb4850eb65f2d92500e421b430ed1ec58a7ac909e91f518926e02473904f668 "/bin/tini -- /usr..." 2 minutes ago Up 2 minutes k8s_jenkins_jenkins-5bdb8678c-x6vht_ns-jenkins_64b66dae-a1da-4d90-83fd-ff433638dc9c_0
所以我在我的容器上启动一个shell,我可以在/var/foo上看到我的数据:
# docker exec -t -i 8a3e4871ed64 /bin/bash
jenkins@jenkins-5bdb8678c-x6vht:/$ df -h /var/foo
Filesystem Size Used Avail Use% Mounted on
xxx.xxx.xxx.xxx:/VR_C_CS003_NFS_KUBERNETESPV_TMP_PP 10G 9.5M 10G 1% /var/foo
jenkins@jenkins-5bdb8678c-x6vht:/var/foo$ ls -lZ /var/foo -d
drwxr-xr-x. 2 root root system_u:object_r:nfs_t:s0 4096 Oct 2 10:06 /var/foo
jenkins@jenkins-5bdb8678c-x6vht:/var/foo$ ls -lZ /var/foo
-rwxr-xr-x. 1 root root system_u:object_r:nfs_t:s0 12 Oct 2 10:05 newfile
jenkins@jenkins-5bdb8678c-x6vht:/var/foo$ cat newfile
hello
我试图在我的/var/foo/newfile中写入数据,但权限被拒绝
jenkins@jenkins-5bdb8678c-x6vht:/var/foo$ echo "world" >> newfile
bash: newfile: Permission denied
在我的/var/foo/目录中也是一样,我不能写数据
jenkins@jenkins-5bdb8678c-x6vht:/var/foo$ touch newfile2
touch: cannot touch 'newfile2': Permission denied
因此,我在部署yaml中尝试了另一个图像,如httpd:latest(在我的yaml定义中保持相同的名称)
[...]
containers:
#- image: jenkins
- image: httpd:latest
[...]
# docker ps |grep jenkins
fa562400405d docker.io/httpd@sha256:39d7d9a3ab93c0ad68ee7ea237722ed1b0016ff6974d80581022a53ec1e58797 "httpd-foreground" 50 seconds ago Up 48 seconds k8s_jenkins_jenkins-7894877f96-6dj85_ns-jenkins_540b12bd-69df-44d8-b3df-20a0a96cc851_0
在我的新容器中,这次我可以读写数据:
root@jenkins-7894877f96-6dj85:/usr/local/apache2# df -h /var/foo
Filesystem Size Used Avail Use% Mounted on
xxx.xxx.xxx.xxx:/VR_C_CS003_NFS_KUBERNETESPV_TMP_PP 10G 9.6M 10G 1% /var/foo
root@jenkins-7894877f96-6dj85:/var/foo# ls -lZ
total 0
-rwxr-xr-x. 1 root root system_u:object_r:nfs_t:s0 12 Oct 2 10:05 newfile
-rw-r--r--. 1 root root system_u:object_r:nfs_t:s0 0 Oct 2 10:06 newfile2
root@jenkins-7894877f96-6dj85:/var/foo# ls -lZ /var/foo -d
drwxr-xr-x. 2 root root system_u:object_r:nfs_t:s0 4096 Oct 2 10:06 /var/foo
root@jenkins-7894877f96-6dj85:/var/foo# ls -l
total 0
-rwxr-xr-x. 1 root root 6 Oct 2 09:55 newfile
root@jenkins-7894877f96-6dj85:/var/foo# echo "world" >> newfile
root@jenkins-7894877f96-6dj85:/var/foo# touch newfile2
root@jenkins-7894877f96-6dj85:/var/foo# ls -l
total 0
-rwxr-xr-x. 1 root root 12 Oct 2 10:05 newfile
-rw-r--r--. 1 root root 0 Oct 2 10:06 newfile2
我做错了什么?pb是由不允许RW访问的jenkins图像引起的吗?同样的pb带有本地存储(在我的worker上)和持久卷。
还有一件事,也许是愚蠢的:对于我的jenkins映像,我想将/var/jenkins_home目录装载到一个持久卷,以便保留jenkins的配置文件。但是如果我尝试挂载/var/jenkins_home而不是/var/foo,pod就会崩溃(因为/var/jenkins_home中已经存储了数据)。
谢谢大家的帮助!
共有2个答案
@Piotr Malec谢谢。是的,我意识到:当我连接到我的容器时,jenkins是默认用户:
docker exec -t -i 46d2497d440d /bin/bash
jenkins@jenkins-7bcdd5db57-8qgth:/$
所以我更改了对这个/opt/jenkins的权限。在我的worker上持续到777,以便尝试,现在我在这个挂载上安装了RW perm:
xxx.xxx.xxx.xxx:/VR_C_CS003_NFS_KUBERNETESPV_TMP_PP 10G 9.5M 10G 1% /var/foo
jenkins@jenkins-7bcdd5db57-8qgth:/$ cd /var
jenkins@jenkins-7bcdd5db57-8qgth:/$ ls -l
[...]
drwxrwxrwx. 2 root root 4096 Oct 4 13:41 foo
[...]
jenkins@jenkins-7bcdd5db57-8qgth:/$ cd /var/foo
jenkins@jenkins-7bcdd5db57-8qgth:/var/foo $ touch newfile
jenkins@jenkins-7bcdd5db57-8qgth:/var/foo $ ls
newfile
所以我在我的工人上添加了jenkins用户帐户,并在我的/opt/jenkins.persistent目录中设置chown jenkins: jenkins。现在,在我的容器中,我有RW烫发:
jenkins@jenkins-7bcdd5db57-8qgth:/var$ ls -l
[...]
drwxr-xr-x. 2 jenkins jenkins 4096 Oct 4 13:53 foo
[...]
jenkins@jenkins-7bcdd5db57-8qgth:/var$ cd foo
jenkins@jenkins-7bcdd5db57-8qgth:/var/toto$ touch newfile2
jenkins@jenkins-7bcdd5db57-8qgth:/var/toto$ ls -l
-rw-r--r--. 1 jenkins jenkins 0 Oct 4 13:53 newfile2
我注意到您试图在jenkins-5bdb8678c-x6vht上以jenkins用户的身份进行写入,但该用户可能在root:root目录中没有写入权限。
您可能希望更改该目录权限以匹配jenkins用户权限。
在写入文件之前,请尝试使用sudo确认这是导致此问题的原因。
如果未安装sudo,则使用--user标记为rootuser执行。所以,这就像其他写作成功的案例一样。
docker exec-t-i-u root 8a3e4871ed64/bin/bash
-
然后,我创建一个Kubernetes只读多个持久化卷声明,如下所示: 它绑定到我在上面创建的只读PV: 然后,我使用我刚才创建的PVC创建了一个包含2个副本的Kubernetes部署,如下所示:
-
我找到的最接近的答案是这样的。 但我想知道的是,Dockerfile卷命令会被Kubernetes完全忽略吗?或者数据将被持久化到两个地方?一个用于docker卷(在主机中哪个豆荚运行),另一个是Kubernetes的PV? 之所以这样问,是因为我从docker hub部署了一些容器,其中包含VOLUME命令。同时,我也把PVC贴在我的豆荚上。我在考虑是否会在节点中创建本地卷(docker卷,而不
-
我在Google Container Engine上部署了一个容器,它运行良好。现在,我想公开它。 这个应用程序是一个侦听2个端口的服务。使用kubectl公开部署,我创建了2个负载均衡器,每个端口一个。 我制作了两个负载平衡器,因为kubectl expose命令似乎不允许使用多个端口。虽然我在kubectl上将其定义为type=LoadBalancer,但一旦在GKE上创建了它们,它们就被定义
-
我假设上述证书的路径是主机上的路径,python脚本将从中获取文件,然后进行YAML构建? 测试呼叫3: 测试呼叫4:
-
我正在将堆栈转换为K8S。数据库需要持久存储。 我使用了 pv.yaml(根据@Whites11的回答进行了编辑): 我进入GUI上的PVC页面,并手动向索赔添加了一个卷(基于@Whites11的反馈)。我可以看到PVC已经更新了体积,但它仍然悬而未决。 意识到自从进行@Whites11建议的更改后,pod中的原始错误消息已经更改。现在是“persistentvolume”pvvolume“not
-
我无法通过入口路径url访问Kibana服务器UI我已经在库伯内特斯集群上部署了Kibanapod和Elasticsearch。访问UI时,它声明为“503服务不可用”,并将路径重定向为https://myserver.com/spaces/enter.elasticsearch和kibana pod都在运行。我可以通过入口路径url卷曲我的elasticsearch pod。有人能帮助解决这个问