问题描述
我通过 k8 cronjob 成功地将我的 rds 备份容器化为 s3 上传。但是,它仅在端口 5432 在 0.0.0.0/0 上打开时有效。基于此 Accessing RDS from within a Docker container not getting through security group? 解决方法是在 docker 容器上设置 --net=host ,我仍在努力弄清楚如何。我的 DNS 服务器是 10.122.8.2。列出以下代码:
Dockerfile
FROM private/registry:rds-backup # this is a private registry
# Use root user for packages installation
USER root
# Install packages
RUN yum update -y && yum upgrade -y
# Install curl
RUN yum install curl -y
# Install unzip and zip
RUN yum install zip unzip -y
# Install aws cli
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
RUN unzip awscliv2.zip
RUN ./aws/install
# Make sure that your shell script file is in the same folder as your dockerfile while running the docker build command as the below command will copy the file to the /home/root/ folder for execution
copY . /home/root/
# Add user
RUN groupadd --system user && adduser --system user --no-create-home --gid user
RUN chown -R user:user /home/root/ && chmod -R 777 /home/root/
# Switch to non-root user
USER user
# Run service
CMD ["postgres"]
我的构建命令 docker built -t private/registry:rds-backup .
我的 postgres-backup.sh 脚本:
#file-name: postgres-backup.sh
#!/bin/bash
export DUMP_FILE=backup_`date +%Y%m%d_%H%M%s`.dump.sql
export PGPASSWORD=adminadmin
cd /home/root
mkdir pg-backup
cd pg-backup
pg_dump -h database-k8.name.region.rds.amazonaws.com -U postgres -d k8rdsbackup -Fp > $DUMP_FILE
# s3 upload
aws s3 cp $DUMP_FILE s3://k8rdsbackup-test/dev/
backup-postgres-cronjob.yaml
#file-name: postgresql-backup-cron-job.yaml
apiVersion: batch/v1beta1
kind: CronJob
Metadata:
name: postgresql-backup-cron-job
namespace: rds-backup-test
spec:
#Cron Time is set according to server time,ensure server time zone and set accordingly.
schedule: "*/5 * * * *"
jobTemplate:
spec:
template:
spec:
imagePullSecrets:
- name: rds
containers:
- name: postgresql-backup-job-pod
image: private/registry:rds-backup # this is a private registry
imagePullPolicy: Always
args:
- /bin/bash
- -c
- cd /home/root; ls; bash postgres-backup.sh;
restartPolicy: OnFailure
backoffLimit: 3
我当前在堡垒中的 systemd docker.service 单元文件如下:
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --dns 10.122.8.2 --dns 8.8.8.8 --dns 8.8.4.4
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
如您所见,我在 --dns 10.122.8.2 --dns 8.8.8.8 --dns 8.8.4.4 的末尾添加了 ExecStart 并使用以下这些重新加载了守护程序,但没有运气。请帮忙!
sudo systemctl daemon-reload
sudo systemctl restart docker.service
解决方法
主机网络 (--net=host) 是每个容器的设置,而不是 Docker 守护程序设置,用于 docker create 或 docker run
docker run --net=host --detach me/myimage
请注意,这会给容器 full access to the hosts network。