拒绝访问安装在OpenShift容器中的/var/run/docker.sock的权限 [英] Permission denied to access /var/run/docker.sock mounted in a OpenShift container

问题描述

了解如何进行故障排除，以及需要进行什么知识才能对Docker容器访问主机文件的权限问题进行故障排除.

Know how to trouble shoot and what knowledge is required to trouble shoot permission issues of Docker container accessing host files.

通过hostPath访问安装在OpenShift容器内的/var/run/docker.sock导致权限被拒绝.如果将同一容器部署到K8S 1.9.x，则不会发生此问题，因此这是OpenShift特有的问题.

Access to /var/run/docker.sock mounted inside a OpenShift container via hostPath causes permission denied. The issue does not happen if the same container is deployed to K8S 1.9.x, hence it is OpenShift specific issue.

[ec2-user@ip-10-0-4-62 ~]$ ls -laZ /var/run/docker.sock
srw-rw----. root docker system_u:object_r:container_var_run_t:s0 /var/run/docker.sock

[ec2-user@ip-10-0-4-62 ~]$ docker exec 9d0c6763d855 ls -laZ /var/run/docker.sock
srw-rw----. 1 root 1002 system_u:object_r:container_var_run_t:s0 0 Jan 16 09:54 /var/run/docker.sock

https://bugzilla.redhat.com/show_bug.cgi?id=1244634 说svirt_sandbox_file_t RHEL需要SELinux标签，因此请更改标签.

https://bugzilla.redhat.com/show_bug.cgi?id=1244634 says svirt_sandbox_file_t SELinux label is required for RHEL, so changed the label.

$ chcon -Rt container_runtime_t docker.sock 
[ec2-user@ip-10-0-4-62 ~]$ ls -aZ /var/run/docker.sock 
srw-rw----. root docker system_u:object_r:svirt_sandbox_file_t:s0 /var/run/docker.sock

重新部署容器，但仍然拒绝权限.

Redeploy the container but still permission denied.

$ docker exec -it 9d0c6763d855 curl -ivs --unix-socket /var/run/docker.sock http://localhost/version
*   Trying /var/run/docker.sock...
* Immediate connect fail for /var/run/docker.sock: Permission denied
* Closing connection 0

默认情况下，OpenShift不允许hostPath，因此已解决.

OpenShift by default does not allow hostPath so it was addressed.

oc adm policy add-scc-to-user privileged system:serviceaccount:{{ DATADOG_NAMESPACE }}:{{ DATADOG_SERVICE_ACCOUNT }}

我想是SELinux或OpenShift SCC或其他容器/泊坞窗权限引起的，但是需要一个线索来查找原因.

I suppose SELinux or OpenShift SCC or other container/docker permission is causing this but need a clue how to find the cause.

推荐答案

Openshift需要特殊的权限，以允许Pod使用节点中的卷.

Openshift requires special permissions for in order to allow pods to use volumes in nodes.

执行以下操作:

1. 创建标准的安全上下文Yaml:

1. Create standard security-context yaml:

kind: SecurityContextConstraints
apiVersion: v1
metadata:
  name: scc-hostpath
allowPrivilegedContainer: true
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
users:
- my-admin-user
groups:
- my-admin-group

oc create -f scc-hostpath.yam

在此安全上下文中添加"allowHostDirVolumePlugin"特权:

Add the "allowHostDirVolumePlugin" privilege to this security-context:

oc patch scc scc-hostpath -p '{"allowHostDirVolumePlugin": true}'

将广告连播的服务帐户与上述安全上下文相关联

Associate the pod's service account with the above security context

oc adm policy add-scc-to-user scc-hostpath system:serviceaccount:<service_account_name>

这篇关于拒绝访问安装在OpenShift容器中的/var/run/docker.sock的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！