如何在kubernetes/Docker中更改映射卷的权限 [英] How to change permission of mapped volume in kubernetes/Docker

问题描述

我刚刚使用Docker文件创建了映像，并且为了更改用户我刚刚使用过:

I just created image using Docker file and for changing user I just used:

USER myuser

我们正在使用目录来存储数据，我们使用以下命令更改该目录权限:

We are using a directory to store data, we change that directory permission using:

chown -R myuser:myuser /data-dir

此Docker文件用于etcd，我们希望etcd在其中使用/data-dir来存储数据.现在，我们使用kubernetes yml文件将/data-dir映射到efs卷.

This Docker file is for etcd, where we want /data-dir use by etcd to store data. Now, we map the /data-dir to efs volume using kubernetes yml file.

使用以下代码:

volumeMounts:
        - name: etcdefs
          mountPath: /data-dir
      volumes:
      - name: etcdefs
        persistentVolumeClaim:
          claimName: efs-etcd

在此之后，我希望该映射目录/data-dir应该具有myuser:myuser权限，但是它将目录设为root:root

After this, I expect, that mapped directory /data-dir should have permission as myuser:myuser but it making the directory as root:root

有人可以暗示我在这里做错了吗?

Can any one suggest what I am doing wrong here ?

推荐答案

这是因为docker.它仅在具有root权限的情况下挂载卷，您可以使用chmod进行更改，但只能在容器启动之后进行更改.

This is because of docker. It mounts volume with only root permission and you can change it with chmod but only after the container is started.

您可以在此处详细了解 https://github.com/moby/moby/issues /2259 这个问题已经存在很长时间了.

You can read more about it here https://github.com/moby/moby/issues/2259 This issues is here for a long time.

您可以在kubernetes中使用fsGroup和 force 来通过指定的GID写入卷.这是有效的解决方案，并已记录在案.此处的更多信息 https://kubernetes.io/docs/tasks/configure -pod-container/security-context/

What you can do in kubernetes is use fsGroup and force that volume is writable by GID specified. This is working solution and documented as well. More information here https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

这是一个示例部署:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: alpine
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: alpine
    spec:
      securityContext:
        fsGroup: 1000
      containers:
        - name: alpine
          image: alpine
          volumeMounts:
              - mountPath: /var/alpine
                name: alpine
      volumes:
        - name: alpine
          awsElasticBlockStore:
            volumeID: vol-1234567890
            fsType: ext4

这篇关于如何在kubernetes/Docker中更改映射卷的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！