spa*_*unk 4 deployment sed docker kubernetes airflow
我在Kubernetes上部署Airflow时遇到错误(准确地说是此版本的Airflow https://github.com/puckel/docker-airflow/blob/1.8.1/Dockerfile),涉及到向文件系统写入权限。
窗格的日志中显示的错误是:
sed: couldn't open temporary file /usr/local/airflow/sed18bPUH: Read-only file system
sed: -e expression #1, char 131: unterminated `s' command
sed: -e expression #1, char 118: unterminated `s' command
Initialize database...
sed: couldn't open temporary file /usr/local/airflow/sedouxZBL: Read-only file system
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/airflow/configuration.py", line 769, in
....
with open(TEST_CONFIG_FILE, 'w') as f:
IOError: [Errno 30] Read-only file system: '/usr/local/airflow/unittests.cfg'
看来文件系统是只读的,但我不明白为什么会这样。我不确定这是否是Kubernetes的错误配置(我是否需要针对Pod的特殊RBAC?不知道)还是Dockerfile是否有问题。
部署文件如下所示:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: airflow
namespace: test
spec:
replicas: 1
revisionHistoryLimit: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 1
template:
metadata:
labels:
app: airflow
spec:
restartPolicy: Always
containers:
- name: webserver
image: davideberdin/docker-airflow:0.0.4
imagePullPolicy: Always
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 50m
memory: 128Mi
securityContext: #does not have any effect
runAsUser: 0 #does not have any effect
ports:
- name: airflow-web
containerPort: 8080
args: ["webserver"]
volumeMounts:
- name: airflow-config-volume
mountPath: /usr/local/airflow
readOnly: false #does not have any effect
- name: airflow-logs
mountPath: /usr/local/logs
readOnly: false #does not have any effect
volumes:
- name: airflow-config-volume
secret:
secretName: airflow-config-secret
- name: airflow-parameters-volume
secret:
secretName: airflow-parameters-secret
- name: airflow-logs
emptyDir: {}
知道如何使文件系统可写吗?容器以USER气流的形式运行,但我认为该用户具有root特权。
从kubernetes 1.9及更高版本开始,默认情况下,对secret,configMap,downlineAPI和projected的volumeMounts行为已更改为只读。
解决该问题的方法是创建一个emtpyDir卷并将其内容复制到其中,然后执行/写入所需的任何内容。
这是一个演示的小片段。
initContainers:
- name: copy-ro-scripts
image: busybox
command: ['sh', '-c', 'cp /scripts/* /etc/pre-install/']
volumeMounts:
- name: scripts
mountPath: /scripts
- name: pre-install
mountPath: /etc/pre-install
volumes:
- name: pre-install
emptyDir: {}
- name: scripts
configMap:
name: bla
合并的PR导致此中断:( https://github.com/kubernetes/kubernetes/pull/58720
volumeMounts:
- name: airflow-config-volume
mountPath: /usr/local/airflow
volumes:
- name: airflow-config-volume
secret:
secretName: airflow-config-secret
是你的问题的根源,有两个原因:首先,你已经通过卷将你的秘密安装到图像上,直接安装到图像期望拥有的目录的位置,从而破坏了气流用户的主airflow目录。
另外,虽然我必须启动一个集群来确认 100%,Secret但我非常确定卷挂载(我认为它们的ConfigMap朋友)是 Pod 文件系统中的只读投影;这种怀疑显然与你的经历相符。当然,这些卷的更改不会传播回 kubernetes 集群,所以为什么要假装不这样呢。
如果您想继续尝试这样的事情,您实际上对投影到该文件中的文件defaultMode有影响,因此您可以将它们设置为,但请注意买者自负。到目前为止,简短的版本并不是用卷安装来粉碎。volumeMount0666$AIRFLOW_HOME
| 归档时间: |
|
| 查看次数: |
9310 次 |
| 最近记录: |