kubernetes kubectl exec permission denied

hlswsv35 于 11个月前发布在 Kubernetes

关注(0)|答案(3)|浏览(163)

我有一个运行mariadb容器的pod，我想备份我的数据库，但它失败了Permission denied。

kubectl exec my-owncloud-mariadb-0 -it -- bash -c "mysqldump --single-transaction -h localhost -u myuser -ppassword mydatabase > owncloud-dbbackup_`date +"%Y%m%d"`.bak"

字符串
并且结果被

bash: owncloud-dbbackup_20191121.bak: Permission denied
command terminated with exit code 1

型
我不能运行sudo mysqldump，因为我得到一个sudo command not found。
我尝试将备份文件导出到不同的位置：/home，mysqldump所在的目录，/usr，.
下面是我的pod的yaml：

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2019-11-20T14:16:58Z"
  generateName: my-owncloud-mariadb-
  labels:
    app: mariadb
    chart: mariadb-7.0.0
    component: master
    controller-revision-hash: my-owncloud-mariadb-77495ddc7c
    release: my-owncloud
    statefulset.kubernetes.io/pod-name: my-owncloud-mariadb-0
  name: my-owncloud-mariadb-0
  namespace: default
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: StatefulSet
    name: my-owncloud-mariadb
    uid: 47f2a129-8d4e-4ae9-9411-473288623ed5
  resourceVersion: "2509395"
  selfLink: /api/v1/namespaces/default/pods/my-owncloud-mariadb-0
  uid: 6a98de05-c790-4f59-b182-5aaa45f3b580
spec:
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - podAffinityTerm:
          labelSelector:
            matchLabels:
              app: mariadb
              release: my-owncloud
          topologyKey: kubernetes.io/hostname
        weight: 1
  containers:
  - env:
    - name: MARIADB_ROOT_PASSWORD
      valueFrom:
        secretKeyRef:
          key: mariadb-root-password
          name: my-owncloud-mariadb
    - name: MARIADB_USER
      value: myuser
    - name: MARIADB_PASSWORD
      valueFrom:
        secretKeyRef:
          key: mariadb-password
          name: my-owncloud-mariadb
    - name: MARIADB_DATABASE
      value: mydatabase
    image: docker.io/bitnami/mariadb:10.3.18-debian-9-r36
    imagePullPolicy: IfNotPresent
    livenessProbe:
      exec:
        command:
        - sh
        - -c
        - exec mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD
      failureThreshold: 3
      initialDelaySeconds: 120
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 1
    name: mariadb
    ports:
    - containerPort: 3306
      name: mysql
      protocol: TCP
    readinessProbe:
      exec:
        command:
        - sh
        - -c
        - exec mysqladmin status -uroot -p$MARIADB_ROOT_PASSWORD
      failureThreshold: 3
      initialDelaySeconds: 30
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 1
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /bitnami/mariadb
      name: data
    - mountPath: /opt/bitnami/mariadb/conf/my.cnf
      name: config
      subPath: my.cnf
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-pbgxr
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  hostname: my-owncloud-mariadb-0
  nodeName: 149.202.36.244
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 1001
    runAsUser: 1001
  serviceAccount: default
  serviceAccountName: default
  subdomain: my-owncloud-mariadb
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: data
    persistentVolumeClaim:
      claimName: data-my-owncloud-mariadb-0
  - configMap:
      defaultMode: 420
      name: my-owncloud-mariadb
    name: config
  - name: default-token-pbgxr
    secret:
      defaultMode: 420
      secretName: default-token-pbgxr
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2019-11-20T14:33:22Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2019-11-20T14:34:03Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2019-11-20T14:34:03Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2019-11-20T14:33:22Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: docker://3898b6a20bd8c38699374b7db7f04ccef752ffd5a5f7b2bc9f7371e6a27c963a
    image: bitnami/mariadb:10.3.18-debian-9-r36
    imageID: docker-pullable://bitnami/mariadb@sha256:a89e2fab7951c622e165387ead0aa0bda2d57e027a70a301b8626bf7412b9366
    lastState: {}
    name: mariadb
    ready: true
    restartCount: 0
    state:
      running:
        startedAt: "2019-11-20T14:33:24Z"
  hostIP: 149.202.36.244
  phase: Running
  podIP: 10.42.2.56
  qosClass: BestEffort
  startTime: "2019-11-20T14:33:22Z"

型
是不是我错过了什么？

kubernetes

来源：https://stackoverflow.com/questions/58973591/kubectl-exec-permission-denied

3条答案

按热度按时间

pgvzfuti1#

您可能没有权限写入容器内的位置。请尝试以下命令
使用/tmp或其他可以转储备份文件的位置

kubectl exec my-owncloud-mariadb-0 -it -- bash -c "mysqldump --single-transaction -h localhost -u myuser -ppassword mydatabase > /tmp/owncloud-dbbackup_`date +"%Y%m%d"`.bak"

字符串

赞(0）回复(0）举报 11个月前

mwecs4sa2#

给定您所显示的pod YAML文件，您不能有效地使用kubectl exec来进行数据库备份。
您在pod中获取一个shell，并在其中运行mysqldump，以便在pod中的其他位置写出转储文件。（一旦pod退出，就会被删除，包括如果Kubernetes决定在集群内重新定位pod）或挂载的数据库目录（并且您的备份将与它备份的数据一样长）。
我会在pod外部运行mysqldump。（或依赖于外部对象存储;如果你在AWS上运行，例如，S3），连接到数据库pod，并以这种方式运行备份。这具有相当独立的优点（因此您可以在不干扰实时数据库的情况下调试它）并且完全自动化（您可以从Kubernetes CronJob启动它）。
kubectl exec似乎没有docker exec控制用户身份的相同标志，所以你依赖于容器内的一些路径，它的默认用户可以写入。/tmp通常是全局可写的，所以如果你只是想让特定的命令工作，我会尝试将转储文件放入/tmp/owncloud-dbbackup_...。