我正在尝试克隆一个包含子模块的存储库。主 repo 克隆正常,但是当我git submodule update --init --recursive在 dockerfile 中执行时,子模块抛出并出错。
fatal: clone of 'git@github.com:jkeys089/lua-resty-hmac.git' into submodule path '/tmp/third-party/lua-resty-hmac' failed
Failed to clone 'third-party/lua-resty-hmac'. Retry scheduled
Cloning into '/tmp/third-party/lua-resty-jwt'...
load pubkey "/root/.ssh/id_rsa": invalid format
Warning: Permanently added the RSA host key for IP address '140.82.118.3' to the list of known hosts.
Load key "/root/.ssh/id_rsa": invalid format
git@github.com: Permission denied (publickey).
在图像中我有这个
# authorise ssh host
RUN mkdir /root/.ssh/ \
&& chmod 700 /root/.ssh \
&& ssh-keyscan github.com > /root/.ssh/known_hosts
# …我有一个包含 2 个容器的 k8s YAML 文件。initContainer和主容器。我正在使用卷来安装要运行的脚本文件,initContainer但出现permission denied错误。这是片段。
volumes:
- name: casacm-script
configMap:
name: {{ include "oxauth.name" . }}-casacm-script
在initContainer我安装它就像
initContainers:
- name: {{ include "oxauth.name" .}}-init
image: gcr.io/cloud-builders/kubectl:latest
command:
- sh
- -c
- /scripts/casacm.sh
volumeMounts:
- name: casacm-script
mountPath: "/scripts/casacm.sh"
subPath: casacm.sh
我知道这个问题以前曾被问过,但前一个问题不适用于我的情况。我有 2 个部署和 2 个服务,我正在使用入口资源并且nginx ingress controller
ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend-ingress
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- http:
paths:
- path: /api
backend:
serviceName: frontend-svc
servicePort: 3000
- path: /
backend:
serviceName: static-svc
servicePort: 80
这 2 个服务的定义如下:
services.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: frontend
name: frontend-svc
spec:
ports:
- port: 3000
protocol: TCP
targetPort: 3000
selector:
app: frontend
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app: static
name: static-svc
spec: …我有一个带有2个蓝图的烧瓶应用程序。认证蓝图和事件蓝图。这就是他们的结构
`app/
auth_blueprint/
init.py
views.py
model.py
events_blueprint/
init.py
model.py
views.py
`
auth_blueprint处理用户事件。登录,注册等。我的问题是,登录后如何访问从auth_blueprint生成的令牌,并在events_blueprint中使用它来保护其他端点?
在auth_blueprint下的视图中,身份验证代码为
@authenticate.verify_password
def verify_password(username_or_token, password):
# first try to authenticate by token
user = models.User.verify_auth_token(username_or_token)
if not user:
# try to authenticate with username/password
user = models.User.query.filter_by(username = username_or_token).first()
if not user or not user.verify_password(password):
return False
g.user = user
import pdb; pdb.set_trace() #debugger
return True
#login user
@auth.route('/api/v1/auth/login')
@authenticate.login_required
def login():
token = g.user.generate_auth_token()
return jsonify({ 'token': token.decode('ascii') })
#return jsonify({'Welcome':'Login Okay'}),200
当我尝试在events_blueprint下的视图中访问g时出现错误g没有属性用户
@events.route('/api/v1/user')
def getloggeduser():
print(g) …NFS我正在尝试在部署了其他 k8s 服务的同一集群中使用卷。但使用该服务的其中一项NFS失败并显示 \nOutput: mount.nfs: mounting nfs.default.svc.cluster.local:/opt/shared-shibboleth-idp failed, reason given by server: No such file or directory
这nfs PV
apiVersion: v1\nkind: PersistentVolume\nmetadata:\n name: nfs\nspec:\n capacity:\n storage: 10Gi\n accessModes:\n - ReadWriteMany\n nfs:\n server: nfs.default.svc.cluster.local # nfs is from svc {{ include "nfs.name" .}}\n path: "/opt/shared-shibboleth-idp"\n描述nfs service
\xe2\x9e\x9c helm git:(ft-helm) \xe2\x9c\x97 kubectl describe svc nfs\nName: nfs\nNamespace: default\nLabels: app=nfs\n chart=nfs-1.0.0\n heritage=Tiller\nAnnotations: <none>\nSelector: role=nfs\nType: ClusterIP\nIP: 10.19.251.72\nPort: mountd 20048/TCP\nTargetPort: 20048/TCP\nEndpoints: 10.16.1.5:20048\nPort: nfs 2049/TCP\nTargetPort: 2049/TCP\nEndpoints: …我希望能够读取文件的内容~/.ssh/id_rsa并将其传递到图像的构建阶段。当我使用该命令docker build --build-arg SSH_PRIVATE_KEY="$(cat ~/.ssh/id_rsa)",然后尝试在构建期间在容器内回显该命令时,我变得空了。
RUN echo "$SSH_PRIVATE_KEY" > /priv_key \
&& cat /priv_key
结果是
Step 6/14 : RUN echo "$SSH_PRIVATE_KEY" > /priv_key && cat /priv_key
---> Running in c8d6e3c88cd8
Removing intermediate container c8d6e3c88cd8
在 dockerfile 中我有ARG SSH_PRIVATE_KEY.
但是当我使用虚拟文本时,docker build --build-arg SSH_PRIVATE_KEY="dummy text"我可以在日志中看到它。
这导致我的私钥格式无效,因为它是空的。
RUN echo "${SSH_PRIVATE_KEY}" >> /root/.ssh/id_rsa
我做错了什么或者没有做什么?谢谢
我一直在尝试创建一个公共云运行调用程序策略并将其绑定到我的 cb_app 云运行服务,以便可以公开它。我创建了一个自定义服务并为其分配了云管理员角色。但出现这个错误
Error: Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account app-worker@samuel-django-project.iam.gserviceaccount.com (or it may not exist).
这是配置
resource "google_cloud_run_service_iam_member" "domain" {
service = google_cloud_run_service.cb_app.name
location = google_cloud_run_service.cb_app.location
role = "roles/run.admin"
member = "serviceAccount:${var.service_account}"
}
#create service account to run service
resource "google_service_account" "cb_app" {
account_id = "app-worker"
display_name = "app worker"
}
在应用程序服务中,我有这个
spec {
# Use locked down Service Account
service_account_name = google_service_account.cb_app.email
关于如何解决这个问题有什么想法吗?
service-accounts terraform google-iam terraform-provider-gcp google-cloud-run
kubernetes ×3
docker ×2
dockerfile ×2
bash ×1
containers ×1
docker-image ×1
flask-login ×1
git ×1
github ×1
google-iam ×1
jwt ×1
nfs ×1
python ×1
ssh ×1
terraform ×1