当我们在openshift里面直接使用openshift自带image时,并不知道image是如何build出来的,很多时候希望能够查看其Dockerfile,以期能够按预期去做一些特殊设置。 首先可以通过docker inspect去查看该image的信息,基本所有Dockerfile定义的东西都能通过这种方式获得。以redis为例,先找到该pod所在节点:
MacBook-Pro:~ $ oc get pods |grep redis redis-4-zvp6z 1/1 Running 0 4h MacBook-Pro:~ $ oc describe pod redis-4-zvp6z Name: redis-4-zvp6z Namespace: dtp-sit Priority: 0 PriorityClassName: <none> Node: phynode2.****.****/10.150.1.12 Start Time: Thu, 23 May 2019 09:50:21 +0800 Labels: deployment=redis-4 deploymentconfig=redis name=redis Annotations: openshift.io/deployment-config.latest-version=4 openshift.io/deployment-config.name=redis openshift.io/deployment.name=redis-4 openshift.io/scc=restricted Status: Running IP: 10.130.3.118登录该Node节点,查看其image信息:
[root@phynode2 ~]# docker images -a |grep redis ******.default.svc:5000/openshift/redis <none> aea3ace85f80 18 months ago 222 MB [root@phynode2 ~]# docker inspect aea3ace85f80 [ { "Id": "sha256:aea3ace85f80063a70dbbe1ab6dfa49df168fc66d2acb355364b6d95f1725afa", "RepoTags": [], "RepoDigests": [ "docker-registry.default.svc:5000/openshift/redis@sha256:be2eed2e8de37ed33e21c96f9c457d5e8497e79089834af05d57e5810f692a41" ], "Parent": "", "Comment": "", "Created": "2017-11-22T15:22:52.478988Z", "Container": "", "ContainerConfig": { "Hostname": "9428cdea83ba", "Domainname": "", "User": "1001", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "ExposedPorts": { "6379/tcp": {} }, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "container=oci", "REDIS_VERSION=3.2", "HOME=/var/lib/redis", "SUMMARY=Redis in-memory data structure store, used as database, cache and message broker", "DESCRIPTION=Redis 3.2 available as docker container, is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log.", "CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/redis", "REDIS_PREFIX=/opt/rh/rh-redis32/root/usr", "ENABLED_COLLECTIONS=rh-redis32", "BASH_ENV=/usr/share/container-scripts/redis/scl_enable", "ENV=/usr/share/container-scripts/redis/scl_enable", "PROMPT_COMMAND=. /usr/share/container-scripts/redis/scl_enable" ], "Cmd": [ "/bin/sh", "-c", "#(nop) ", "USER [1001]" ], "ArgsEscaped": true, "Image": "sha256:0f0379063f4f0cd0fa13420e1853250bcf7b0d1db598e32f2b3c9d60832b9840", "Volumes": { "/var/lib/redis/data": {} }, "WorkingDir": "", "Entrypoint": [ "container-entrypoint" ], "OnBuild": [], "Labels": { "architecture": "x86_64", "authoritative-source-url": "registry.access.redhat.com", "build-date": "2017-11-22T15:19:57.829508", "com.redhat.build-host": "ip-10-29-120-69.ec2.internal", "com.redhat.component": "rh-redis32-docker", "description": "Redis 3.2 available as docker container, is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log.", "distribution-scope": "public", "io.k8s.description": "Redis 3.2 available as docker container, is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log.", "io.k8s.display-name": "Redis 3.2", "io.openshift.expose-services": "6379:redis", "io.openshift.tags": "database,redis,redis32,rh-redis32", "name": "rhscl/redis-32-rhel7", "release": "5.15", "summary": "Redis in-memory data structure store, used as database, cache and message broker", "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/redis-32-rhel7/images/3.2-5.15", "vcs-ref": "d13d85cc75c0481e773889b0f39d0faea92c554d", "vcs-type": "git", "vendor": "Red Hat, Inc.", "version": "3.2" } }, "DockerVersion": "1.12.6", "Author": "", "Config": { "Hostname": "9428cdea83ba", "Domainname": "", "User": "1001", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "ExposedPorts": { "6379/tcp": {} }, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "container=oci", "REDIS_VERSION=3.2", "HOME=/var/lib/redis", "SUMMARY=Redis in-memory data structure store, used as database, cache and message broker", "DESCRIPTION=Redis 3.2 available as docker container, is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log.", "CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/redis", "REDIS_PREFIX=/opt/rh/rh-redis32/root/usr", "ENABLED_COLLECTIONS=rh-redis32", "BASH_ENV=/usr/share/container-scripts/redis/scl_enable", "ENV=/usr/share/container-scripts/redis/scl_enable", "PROMPT_COMMAND=. /usr/share/container-scripts/redis/scl_enable" ], "Cmd": [ "run-redis" ], "ArgsEscaped": true, "Image": "c55eab2cfa0def35e401137c646c3160f1a2088cf1b8c1011ce7303c454bf080", "Volumes": { "/var/lib/redis/data": {} }, "WorkingDir": "", "Entrypoint": [ "container-entrypoint" ], "OnBuild": [], "Labels": { "architecture": "x86_64", "authoritative-source-url": "registry.access.redhat.com", "build-date": "2017-11-22T15:19:57.829508", "com.redhat.build-host": "ip-10-29-120-69.ec2.internal", "com.redhat.component": "rh-redis32-docker", "description": "Redis 3.2 available as docker container, is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log.", "distribution-scope": "public", "io.k8s.description": "Redis 3.2 available as docker container, is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Redis works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log.", "io.k8s.display-name": "Redis 3.2", "io.openshift.expose-services": "6379:redis", "io.openshift.tags": "database,redis,redis32,rh-redis32", "name": "rhscl/redis-32-rhel7", "release": "5.15", "summary": "Redis in-memory data structure store, used as database, cache and message broker", "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/redis-32-rhel7/images/3.2-5.15", "vcs-ref": "d13d85cc75c0481e773889b0f39d0faea92c554d", "vcs-type": "git", "vendor": "Red Hat, Inc.", "version": "3.2" } }, "Architecture": "amd64", "Os": "linux", "Size": 222458944, "VirtualSize": 222458944, "GraphDriver": { "Name": "devicemapper", "Data": { "DeviceId": "116487", "DeviceName": "docker-253:0-201599982-d9898dff9cfda7deb451c4da1f088da623155041d36edd1b5355241344938ba0", "DeviceSize": "10737418240" } }, "RootFS": { "Type": "layers", "Layers": [ "sha256:e1d829eddb62dc49f1c56dbf8acd0c71299b3996115399de853a9d66d81b822f", "sha256:02404b4d7e5d89b1383ca346b4462b199128aa4b238c5a2b2c186004ac148ba8", "sha256:04e9612b12a6e5e9541b1666148b34e4f393272f77d96fdec92273bf0b17446e" ] } } ]信息量太大,截取部分关键信息:
"CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/redis", "REDIS_PREFIX=/opt/rh/rh-redis32/root/usr", "ENABLED_COLLECTIONS=rh-redis32", "BASH_ENV=/usr/share/container-scripts/redis/scl_enable", "ENV=/usr/share/container-scripts/redis/scl_enable", "PROMPT_COMMAND=. /usr/share/container-scripts/redis/scl_enable" ], **"Cmd": [ "run-redis" ],**Image启动后执行的是“run-redis", 通过oc exec 到redis的pod里找到这个文件:
MacBook-Pro$ oc exec -it redis-4-zvp6z /bin/bash bash-4.2$ cat /usr/bin/run-redis #!/bin/bash ~ export_vars=$(cgroup-limits); export $export_vars source ${CONTAINER_SCRIPTS_PATH}/common.sh set -eu ~ [ -f ${CONTAINER_SCRIPTS_PATH}/validate-variables.sh ] && source ${CONTAINER_SCRIPTS_PATH}/validate-variables.sh ~ # Process the Redis configuration files log_info 'Processing Redis configuration files ...' **if [[ -v REDIS_PASSWORD ]]; then envsubst < ${CONTAINER_SCRIPTS_PATH}/password.conf.template >> /etc/redis.conf** else log_info 'WARNING: setting REDIS_PASSWORD is recommended' fi ~ # Source post-init source if exists if [ -f ${CONTAINER_SCRIPTS_PATH}/post-init.sh ]; then log_info 'Sourcing post-init.sh ...' source ${CONTAINER_SCRIPTS_PATH}/post-init.sh fi ~ # Restart the Redis server with public IP bindings unset_env_vars log_volume_info "${REDIS_DATADIR}" log_info 'Running final exec -- Only Redis logs after this point' exec ${REDIS_PREFIX}/bin/redis-server /etc/redis.conf --daemonize no "$@" 2>&1通过上述文件,我们可以看到只要在这个文件里设置我们想设置的password就可以了
${CONTAINER_SCRIPTS_PATH}/password.conf.template找到该文件:
bash-4.2$ cat password.conf.template # password for the server requirepass "${REDIS_PASSWORD}"由此一目了然了,我们只需要在deploymentConfig里设置环境变量${REDIS_PASSWORD}即可。 为保证密码安全,我们将环境变量从secret中读取,首先创建一个叫redis-secret的secret,通过yaml文件或者通过console直接创建均可,下面是我创建的:
MacBook-Pro$ oc get secret/redis-secret -o yaml apiVersion: v1 data: password: **********EhnNQ== kind: Secret metadata: creationTimestamp: 2019-05-23T07:01:19Z name: redis-secret namespace: sit resourceVersion: "128134724" selfLink: /api/v1/namespaces/dtp-sit/secrets/redis-secret uid: 90ae2f34-7d28-11e9-8ff3-005056aae8a2 type: Opaque接下来我们将这个secret配置到redis的deploymentConfig中去, 主要是在dc中增加下面这部分env的设置:
spec: containers: - env: - name: REDIS_PASSWORD valueFrom: secretKeyRef: key: password name: redis-secret重新deploy,?,万事大吉! 部署总是显示失败,container正常启动,但总是几分钟后被killed,推断是rediness check捣的鬼,将dc中的redinessProbe部分直接干掉或者更改redis-cli增加上密码登录:
readinessProbe: exec: command: - /bin/sh - -i - -c - test "$(redis-cli -h 127.0.0.1 -a ${REDIS_PASSWORD} ping)" == "PONG"