我想在 openshift 上部署 apache 服务器。我的服务器在本地运行良好,但是当我在 openshift 上部署它时,遇到以下问题
(13)权限被拒绝:AH00072:make_sock:无法绑定到地址 [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
可能的原因可能是apache以root用户运行,而openshift不允许这样做!
有人可以帮我解决这个问题吗?
【问题讨论】:
标签: docker deployment openshift web-deployment
端口 80 是保留端口,默认的 OpenShift Security Context Constraints 不允许容器在此端口上运行。
您应该使用在 8080 或 8443 等端口上运行的容器映像。
【讨论】:
试试下面的配置,详情请参考Enable Container Images that Require Root 。
如果您以defaultserviceaccount 运行您的httpd pod,您可以授予anyuid scc 以作为root 用户运行。您应该重新启动您的 pod 以使您的更改生效。
# oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default
# oc adm policy add-scc-to-user anyuid -z default
# oc delete pod <your pod name>
更新:基本上 80 端口不会与主机 80 端口重复,除非使用 hostnetwork scc 运行。
因为容器使用内核的命名空间特性与主机网络隔离。
我的测试证据如下。
--- haproxy is already running with 80 port on the host.
# ss -ntlpo | grep -w :80
LISTEN 0 128 *:80 *:* users:(("haproxy",pid=22603,fd=6))
--- Create a project for testing
# oc new-project httpd-test
--- Create a httpd pod
# oc new-app --name httpd24 --docker-image=docker.io/httpd
--- Check the state of the pod
# oc get pod
NAME READY STATUS RESTARTS AGE
httpd24-1-hhp6g 0/1 CrashLoopBackOff 8 19m
# oc logs httpd24-1-hhp6g
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.128.1.201. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
--- Configure "anyuid" for running the httpd pod with 80 port
# oc get pod httpd24-1-hhp6g -o yaml | grep -wi serviceaccountname
serviceAccountName: default
# oc adm policy add-scc-to-user anyuid -z default
scc "anyuid" added to: ["system:serviceaccount:httpd-test:default"]
# oc delete pod httpd24-1-hhp6g
pod "httpd24-1-hhp6g" deleted
--- Check the state of httpd pod again
# oc get pod
NAME READY STATUS RESTARTS AGE
httpd24-1-9djkv 1/1 Running 0 1m
# oc logs httpd24-1-9djkv
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.128.1.202. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.128.1.202. Set the 'ServerName' directive globally to suppress this message
[Mon May 06 12:10:47.487909 2019] [mpm_event:notice] [pid 1:tid 139699524075584] AH00489: Apache/2.4.39 (Unix) configured -- resuming normal operations
[Mon May 06 12:10:47.488232 2019] [core:notice] [pid 1:tid 139699524075584] AH00094: Command line: 'httpd -D FOREGROUND'
希望对你有帮助。
【讨论】:
UPDATE 部分上方。
我鼓励您使用现有的基于 rhel7 的 Apache 服务器镜像
registry.redhat.io/rhscl/httpd-24-rhel7
这些图像支持 S2I,公开端口 8080,并且可以使用任何 UID(非 root)运行。您可以使用以下模板:HTTPD template
编辑:我已经更新了正确模板的链接。
【讨论】:
-DFOREGROUND之间不需要空格