ECS Fargate 中的 Artifactory Docker 映像权限错误
我正在尝试使用 AWS ECS Fargate 来运行 JFrog Artifactory。我已经让它在 EC2 实例中正常工作,没有任何问题,但 ECS 给了我一些问题,我相信与它在容器内运行的 Artifactory 帐户的权限有关,但我不知道为什么会这样导致 ECS 内部出现问题,而不是在 EC2 上运行时出现问题,因为它们采购相同的 Docker 映像。我已在此处附加带有相关消息的日志以及我的任务定义。
我尝试过的事情:
- 将工作目录设置为 /usr/jfrog (没有更改任何内容)
类似的问题没有帮助:
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1670 ] [main] - Testing directory /opt/jfrog/artifactory/var has read/write permissions for user id 1030
/opt/jfrog/artifactory/app/bin/installerCommon.sh: line 1642: /opt/jfrog/artifactory/var/test-permissions: Permission denied
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1679 ] [main] - /opt/jfrog/artifactory/var DOES NOT have proper permissions for user id 1030
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1680 ] [main] - Directory: /opt/jfrog/artifactory/var, permissions: 755, owner: root, group: root
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1681 ] [main] - Mounted directory must have read/write permissions for user id 1030
[shell] [38;5;197m[ERROR][0m [] [installerCommon.sh:784 ] [main] - Directory /opt/jfrog/artifactory/var has bad permissions for user id 1030
{
"ipcMode": null,
"executionRoleArn": "xxx",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/first-run-task-definition",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": [],
"portMappings": [
{
"hostPort": 8082,
"protocol": "tcp",
"containerPort": 8082
},
{
"hostPort": 8081,
"protocol": "tcp",
"containerPort": 8081
},
{
"hostPort": 443,
"protocol": "tcp",
"containerPort": 443
}
],
"command": [],
"linuxParameters": null,
"cpu": 256,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [
{
"readOnly": null,
"containerPath": "/var/opt/jfrog/artifactory",
"sourceVolume": "artifactory-storage"
}
],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 512,
"volumesFrom": [],
"stopTimeout": null,
"image": "releases-docker.jfrog.io/jfrog/artifactory-pro:latest",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": [],
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "petclinic-container"
}
],
"memory": "512",
"taskRoleArn": "xxx",
"family": "artifactory",
"pidMode": null,
"requiresCompatibilities": [
"FARGATE"
],
"networkMode": "awsvpc",
"runtimePlatform": null,
"cpu": "256",
"inferenceAccelerators": [],
"proxyConfiguration": null,
"volumes": [
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": {
"transitEncryptionPort": null,
"fileSystemId": "xxx",
"authorizationConfig": {
"iam": "DISABLED",
"accessPointId": null
},
"transitEncryption": "ENABLED",
"rootDirectory": "/"
},
"name": "artifactory-storage",
"host": null,
"dockerVolumeConfiguration": null
}
],
"tags": []
}
I am trying to use AWS ECS Fargate to run JFrog Artifactory. I've had it working without any issues in an EC2 instance, but ECS is giving me some problems, I believe are related to the permissions of the Artifactory account that it runs as inside the container, but I don't know why that would cause an issue inside ECS and not when running it on EC2 since they are sourcing the same Docker image. I have attached the logs with the relevant messages here, as well as my task definition.
Things I've tried:
- setting the working directory to /usr/jfrog (did not change anything)
Similar issues that did not help:
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1670 ] [main] - Testing directory /opt/jfrog/artifactory/var has read/write permissions for user id 1030
/opt/jfrog/artifactory/app/bin/installerCommon.sh: line 1642: /opt/jfrog/artifactory/var/test-permissions: Permission denied
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1679 ] [main] - /opt/jfrog/artifactory/var DOES NOT have proper permissions for user id 1030
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1680 ] [main] - Directory: /opt/jfrog/artifactory/var, permissions: 755, owner: root, group: root
[shell] [38;5;69m[INFO ][0m [] [installerCommon.sh:1681 ] [main] - Mounted directory must have read/write permissions for user id 1030
[shell] [38;5;197m[ERROR][0m [] [installerCommon.sh:784 ] [main] - Directory /opt/jfrog/artifactory/var has bad permissions for user id 1030
{
"ipcMode": null,
"executionRoleArn": "xxx",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/first-run-task-definition",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": [],
"portMappings": [
{
"hostPort": 8082,
"protocol": "tcp",
"containerPort": 8082
},
{
"hostPort": 8081,
"protocol": "tcp",
"containerPort": 8081
},
{
"hostPort": 443,
"protocol": "tcp",
"containerPort": 443
}
],
"command": [],
"linuxParameters": null,
"cpu": 256,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [
{
"readOnly": null,
"containerPath": "/var/opt/jfrog/artifactory",
"sourceVolume": "artifactory-storage"
}
],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 512,
"volumesFrom": [],
"stopTimeout": null,
"image": "releases-docker.jfrog.io/jfrog/artifactory-pro:latest",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": [],
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "petclinic-container"
}
],
"memory": "512",
"taskRoleArn": "xxx",
"family": "artifactory",
"pidMode": null,
"requiresCompatibilities": [
"FARGATE"
],
"networkMode": "awsvpc",
"runtimePlatform": null,
"cpu": "256",
"inferenceAccelerators": [],
"proxyConfiguration": null,
"volumes": [
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": {
"transitEncryptionPort": null,
"fileSystemId": "xxx",
"authorizationConfig": {
"iam": "DISABLED",
"accessPointId": null
},
"transitEncryption": "ENABLED",
"rootDirectory": "/"
},
"name": "artifactory-storage",
"host": null,
"dockerVolumeConfiguration": null
}
],
"tags": []
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
对我有用的是将
用户:root添加到我的docker-compose文件中。例子:
What has worked for me was adding in
user: rootto my docker-compose file.example:
事实证明解决办法很简单,和EFS盘的权限有关。所有子文件夹均归其运行帐户所有,但文件夹本身并非如此。在我试图安装的文件夹中运行 sudo chown 1030:1030 . 解决了我的所有问题。
之前和之后:
It turns out the solution was very simple, and related to the permissions on the EFS disk. All of the subfolders were owned by the account it was running as, but the folder itself was not. Running
sudo chown 1030:1030 .while in the folder I was trying to mount fixed all of my problems.Before and after: