kubernetes 如何在docker容器中后台运行nginx并在前台睡眠?

fdx2calv  于 2023-04-05  发布在  Kubernetes
关注(0)|答案(1)|浏览(175)

下面是我的Dockerfile:

FROM nginx:1.23.3-alpine-slim
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY ping.url /
RUN apk update && \
    apk add --no-cache sudo curl busybox-extras bind-tools nmap-ncat openssl netcat-openbsd openssh git && \
    echo "nginx is up."  > /usr/share/nginx/html/index.html && \
    adduser -u 1000 -D chip && \
    echo "chip:123" | chpasswd && \
    echo "chip ALL=(ALL) ALL" > /etc/sudoers.d/chip && \
    chmod 0440 /etc/sudoers.d/chip && \
    nginx -g "daemon on;"
USER 1000
ENTRYPOINT [ "sleep", "infinity" ]

但是,没有后台nginx进程。
这个镜像运行在一个k8s pod上,当我执行到pod中时,我可以在后台运行nginx,没有问题:

mark@L-R910LPKW:~/chip/toolbox-app/src [test ≡]$ k exec deployments/toolbox -c toolbox -it -- sh
/ $ ps
PID   USER     TIME  COMMAND
    1 chip      0:00 sleep infinity
   16 chip      0:00 sh
   22 chip      0:00 ps
/ $ sudo nginx -g "daemon on;"

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for chip:
2023/04/01 16:08:03 [notice] 23#23: using the "epoll" event method
2023/04/01 16:08:03 [notice] 23#23: nginx/1.23.3
2023/04/01 16:08:03 [notice] 23#23: built by gcc 12.2.1 20220924 (Alpine 12.2.1_git20220924-r4)
2023/04/01 16:08:03 [notice] 23#23: OS: Linux 5.4.0-1103-azure
2023/04/01 16:08:03 [notice] 23#23: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2023/04/01 16:08:03 [notice] 24#24: start worker processes
2023/04/01 16:08:03 [notice] 24#24: start worker process 25
2023/04/01 16:08:03 [notice] 24#24: start worker process 26
/ $ 2023/04/01 16:08:03 [notice] 24#24: start worker process 27
2023/04/01 16:08:03 [notice] 24#24: start worker process 28

/ $ ps
PID   USER     TIME  COMMAND
    1 chip      0:00 sleep infinity
   16 chip      0:00 sh
   24 root      0:00 nginx: master process nginx -g daemon on;
   25 nginx     0:00 nginx: worker process
   26 nginx     0:00 nginx: worker process
   27 nginx     0:00 nginx: worker process
   28 nginx     0:00 nginx: worker process
   29 chip      0:00 ps
/ $

当我离开容器时,nginx守护程序继续运行。
那么为什么它一开始不运行呢?我一定是在搞砸Dockerfile,但是在哪里呢?

编辑1

我知道我可以在前台运行nginx。我特别不想要它。原因之一是我希望容器中的默认用户是我选择的非root用户,而不是root。我知道我也可以运行nginx的非特权版本。
但是我想坚持使用普通的nginx镜像作为基础,让它在后台运行,并以非root用户的身份在前台运行sleep。

编辑2

请允许我添加理由。我的要求是创建一个承载一个简单web服务器的映像,该服务器只响应单个url,并打包一些工具来解决pod通信问题。
所以,我最初的Dockerfile是这样的:

FROM nginx:1.23.3-alpine-slim
RUN apk update && \
    apk add --no-cache curl busybox-extras bind-tools nmap-ncat openssl netcat-openbsd && \
    echo "nginx is up."  > /usr/share/nginx/html/index.html
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY ping.url /

其中nginx.conf是:

server {
    listen       80;
    listen  [::]:80;
    server_name  localhost;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

效果很好。
但后来我决定我想有一个容器运行在一个非根帐户。
一个简单的解决方案是切换到非特权的nginx镜像,即类似于以下内容:

FROM nginxinc/nginx-unprivileged:1.23.3-alpine-slim
USER 0
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY ping.url /
ARG chip_user_pwd
RUN apk update && \
    apk add --no-cache sudo curl busybox-extras bind-tools nmap-ncat openssl netcat-openbsd openssh git && \
    echo "nginx is up."  > /usr/share/nginx/html/index.html && \
    adduser -u 1000 -D chip && \
    echo "chip:$chip_user_pwd" | chpasswd && \
    echo "chip ALL=(ALL) ALL" > /etc/sudoers.d/chip && \
    chmod 0440 /etc/sudoers.d/chip
USER 101

但我很好奇这是否是唯一的解决方案。因为假设nginx没有无特权的替代方案。人们会做些什么来使它工作?我想学习。现在一个可能的答案可能是-什么都没有,它就是不工作。但我没有足够的知识在容器化领域得出这个结论。

bvuwiixz

bvuwiixz1#

RUN指令用于构建时。所以最后一行只是在构建时运行。

RUN apk update && \
    apk add --no-cache sudo curl busybox-extras bind-tools nmap-ncat openssl netcat-openbsd openssh git && \
    echo "nginx is up."  > /usr/share/nginx/html/index.html && \
    adduser -u 1000 -D chip && \
    echo "chip:123" | chpasswd && \
    echo "chip ALL=(ALL) ALL" > /etc/sudoers.d/chip && \
    chmod 0440 /etc/sudoers.d/chip && \
    nginx -g "daemon on;"

您可以像官方Dockerfile中提到的那样在后台添加进程

CMD ["nginx", "-g", "daemon off;"]

回复EDIT1

  • 选项1 *

ENTRYPOINT更改为:

ENTRYPOINT  [ "/bin/sh", "-c", "nginx; sleep infinity"]
  • 选项2 *

创建一个示例entrypoint.sh文件,如下所示:

#!/bin/sh
nginx
sleep infinity

这些行并删除ENTRYPOINT

ADD entry.sh /
RUN chmod +x /entry.sh
CMD [ "/entry.sh"]

相关问题