update at 2024-05-06 11:43:52
roc
parent
b46ea9e94c
commit
bda35b668a
|
|
@ -16,13 +16,13 @@ RUN apt install -y systemd
|
||||||
|
|
||||||
## 示例
|
## 示例
|
||||||
|
|
||||||
systemd 相比业务进程比较特殊,它运行起来需要以下条件:
|
`systemd` 相比业务进程比较特殊,它运行起来需要以下条件:
|
||||||
1. 自己必须是 1 号进程,所以不能启用 `shareProcessNamespace`。
|
1. 自己必须是 1 号进程,所以不能启用 `shareProcessNamespace`。
|
||||||
2. 需要对 `/run` 和 `/sys/fs/cgroup` 等路径进行挂载,通常需要给到 systemd 容器一定特权。
|
2. 需要对 `/run` 和 `/sys/fs/cgroup` 等路径进行挂载,通常需要给到 systemd 容器一定特权。
|
||||||
|
|
||||||
最简单的方式是将运行 systemd 的 container 设为特权容器,示例:
|
最简单的方式是将运行 systemd 的 container 设为特权容器,示例:
|
||||||
|
|
||||||
```yaml
|
```yaml showLineNumbers
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
|
|
@ -40,15 +40,18 @@ spec:
|
||||||
containers:
|
containers:
|
||||||
- name: systemd
|
- name: systemd
|
||||||
image: centos:8
|
image: centos:8
|
||||||
|
# highlight-start
|
||||||
command:
|
command:
|
||||||
- /sbin/init
|
- /sbin/init
|
||||||
|
# highlight-end
|
||||||
securityContext:
|
securityContext:
|
||||||
|
# highlight-next-line
|
||||||
privileged: true # 设置特权
|
privileged: true # 设置特权
|
||||||
```
|
```
|
||||||
|
|
||||||
如果希望尽量减少特权,可以只读方式挂载 hostPath `/sys/fs/cgroup`,然后 capabilities 给个 `SYS_ADMIN`:
|
如果希望尽量减少特权,可以只读方式挂载 hostPath `/sys/fs/cgroup`,然后 capabilities 给个 `SYS_ADMIN`:
|
||||||
|
|
||||||
```yaml
|
```yaml showLineNumbers
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
|
|
@ -69,24 +72,30 @@ spec:
|
||||||
command:
|
command:
|
||||||
- /sbin/init
|
- /sbin/init
|
||||||
securityContext:
|
securityContext:
|
||||||
|
# highlight-start
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
- SYS_ADMIN # 设置容器权限
|
- SYS_ADMIN # 设置容器权限
|
||||||
privileged: false # 非特权
|
privileged: false # 非特权
|
||||||
|
# highlight-end
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
# highlight-start
|
||||||
- mountPath: /sys/fs/cgroup
|
- mountPath: /sys/fs/cgroup
|
||||||
name: cgroup
|
name: cgroup
|
||||||
readOnly: true # 只读方式挂载 cgroup 目录
|
readOnly: true # 只读方式挂载 cgroup 目录
|
||||||
|
# highlight-end
|
||||||
volumes:
|
volumes:
|
||||||
|
# highlight-start
|
||||||
- hostPath:
|
- hostPath:
|
||||||
path: /sys/fs/cgroup
|
path: /sys/fs/cgroup
|
||||||
type: ""
|
type: ""
|
||||||
|
# highlight-end
|
||||||
name: cgroup
|
name: cgroup
|
||||||
```
|
```
|
||||||
|
|
||||||
如果用 ubuntu 安装了 systemd,用法类似的,只是启动入口变成了 `/usr/bin/systemd`:
|
如果用 ubuntu 安装了 systemd,用法类似的,只是启动入口变成了 `/usr/bin/systemd`:
|
||||||
|
|
||||||
```yaml
|
```yaml showLineNumbers
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
|
|
@ -104,8 +113,10 @@ spec:
|
||||||
containers:
|
containers:
|
||||||
- name: systemd
|
- name: systemd
|
||||||
image: cr.imroc.cc/library/systemd:ubuntu
|
image: cr.imroc.cc/library/systemd:ubuntu
|
||||||
|
# highlight-start
|
||||||
command:
|
command:
|
||||||
- /usr/bin/systemd
|
- /usr/bin/systemd
|
||||||
|
# highlight-end
|
||||||
securityContext:
|
securityContext:
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
|
|
@ -119,4 +130,4 @@ spec:
|
||||||
path: /sys/fs/cgroup
|
path: /sys/fs/cgroup
|
||||||
type: ""
|
type: ""
|
||||||
name: cgroup
|
name: cgroup
|
||||||
```
|
```
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue