search

todaygood / openshift-lab

lab on openshift
0 stars 0 forks source link

实验headless-service时pod启动失败 #13

Open todaygood opened 6 years ago

todaygood commented 6 years ago

Issue

[root@ose0 headless-service]# oc get pods -o wide 
NAME                                READY     STATUS             RESTARTS   AGE       IP            NODE
nginx-deployment-5fd7ff6cc9-blrr7   0/1       CrashLoopBackOff   38         2h        10.129.2.9    ose6.cloud.genomics.cn
nginx-deployment-5fd7ff6cc9-lvqhg   0/1       CrashLoopBackOff   21         1h        10.130.2.25   ose7.cloud.genomics.cn
webconsole-7d8f9c6d6b-jfnb7         1/1       Running            1          45d       10.130.0.10   ose1.cloud.genomics.cn
webconsole-7d8f9c6d6b-rph5v         1/1       Running            1          44d       10.128.0.11   ose0.cloud.genomics.cn
webconsole-7d8f9c6d6b-w2mlp         1/1       Running            2          45d       10.128.0.10   ose0.cloud.genomics.cn

nginx-deployment-XXX这两个pod启动失败

/var/log/messages

Sep  8 20:08:56 ose7 origin-node: I0908 20:08:56.030516   19824 kube_docker_client.go:345] Pulling image "nginx:latest": "802b00ed6f79: Downloading [================================>                  ]  14.71MB/22.49MB"
Sep  8 20:09:06 ose7 origin-node: I0908 20:09:06.030426   19824 kube_docker_client.go:345] Pulling image "nginx:latest": "e9d0e0ea682b: Extracting [=========>                                         ]  4.129MB/22.18MB"
Sep  8 20:09:07 ose7 origin-node: I0908 20:09:07.193799   19824 kube_docker_client.go:348] Stop pulling image "nginx:latest": "Status: Downloaded newer image for docker.io/nginx:latest"
Sep  8 20:09:07 ose7 systemd: Started libcontainer container 875d025c95927845f1b71de897a2642d8c16340bb670c56f8b0463e4ec8d470c.
Sep  8 20:09:07 ose7 systemd: Starting libcontainer container 875d025c95927845f1b71de897a2642d8c16340bb670c56f8b0463e4ec8d470c.
Sep  8 20:09:07 ose7 kernel: SELinux: mount invalid.  Same superblock, different security settings for (dev mqueue, type mqueue)
Sep  8 20:09:07 ose7 dockerd-current: time="2018-09-08T20:09:07.383633386+08:00" level=warning msg="Unknown healthcheck type 'NONE' (expected 'CMD') in container 875d025c95927845f1b71de897a2642d8c16340bb670c56f8b0463e4ec8d470c"
Sep  8 20:09:07 ose7 origin-node: E0908 20:09:07.387609   19824 helpers.go:135] readString: Failed to read "/sys/fs/cgroup/memory/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pode87cd901_b35f_11e8_8358_5254006ce49c.slice/docker-875d025c95927845f1b71de897a2642d8c16340bb670c56f8b0463e4ec8d470c.scope/memory.limit_in_bytes": read /sys/fs/cgroup/memory/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pode87cd901_b35f_11e8_8358_5254006ce49c.slice/docker-875d025c95927845f1b71de897a2642d8c16340bb670c56f8b0463e4ec8d470c.scope/memory.limit_in_bytes: no such device
todaygood commented 6 years ago 
[root@ose0 headless-service]# oc logs nginx-deployment-5fd7ff6cc9-blrr7
2018/09/08 14:17:26 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2018/09/08 14:17:26 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

手动启动nginx没有问题

[root@ose7 log]# docker run -idt docker.io/nginx 
7663254b013f571241b72b810d9baa4169771a60911bfe3d73f32824bb6e0b4e
[root@ose7 log]# 
[root@ose7 log]# docker ps -a |grep nginx 
7663254b013f        docker.io/nginx                                                                                                              "nginx -g 'daemon ..."   16 seconds ago      Up 16 seconds              80/tcp              pensive_poitras
3d0e7e4a78cc        docker.io/nginx@sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d3                                      "nginx -g 'daemon ..."   3 minutes ago       Exited (1) 3 minutes ago                       k8s_nginx_nginx-deployment-5fd7ff6cc9-lvqhg_openshift-web-console_e87cd901-b35f-11e8-8358-5254006ce49c_30
97671594d5fd        openshift/origin-pod:v3.9.0                                                                                                  "/usr/bin/pod"           2 hours ago         Up 2 hours                                     k8s_POD_nginx-deployment-5fd7ff6cc9-lvqhg_openshift-web-console_e87cd901-b35f-11e8-8358-5254006ce49c_0
[root@ose7 log]# docker logs 3d0e7e4a78cc
2018/09/08 14:19:05 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2018/09/08 14:19:05 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

手动启的nginx 生成client_temp没问题

[root@ose7 log]# docker exec -it 7663254b013f bash
root@7663254b013f:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@7663254b013f:/# cd /var/cache/nginx/
root@7663254b013f:/var/cache/nginx# ls
client_temp  fastcgi_temp  proxy_temp  scgi_temp  uwsgi_temp
todaygood commented 6 years ago

经 @nicochen 提示是跟 scc相关, 查阅 https://github.com/openshift/openshift-docs/issues/1533

发现nginx 在openshift中跑,需要使用 super-user privileges , RunAsAny

使用这个命令解决 oc adm policy add-scc-to-group anyuid system:authenticated

todaygood commented 6 years ago

Pending Issue

  1. 如何查询policy ?

  2. role, user , group , policy 有哪些关系?