本文分享自华为云社区《nginx.conf以configmap文件形式挂载到nginx容器中以及subpath使用场景》,作者:可以交个朋友。
背景
nginx.conf通过configmap文件形式挂载到容器内,可以更加方便的修改nginx.conf配置
方案简介
将配置文件nginx.conf以configmap文件的方式挂载到容器中。为了更通用,可以将使用主nginx.conf include 指定xx.conf方式,主nginx.conf作为一个cm,具体xx.conf对应一个cm
configmap可以通过ENV环境变量和文件两种方式挂载到容器中,修改configmap后容器中对应的ENV环境变量不会更新;修改configmap后容器中对应的file会自动更新,如果以subpath方式挂载文件,文件内容不会自动更新
将nginx.conf作为configmap挂载到容器中
1.创建configmap
apiVersion: v1 kind: ConfigMap metadata: name: nginx-config namespace: default data: nginx.conf: |+ user nginx; worker_processes 8; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } --- apiVersion: v1 kind: ConfigMap metadata: name: nginx-server-config namespace: default data: server1.conf: |+ server { listen 80; server_name server1.com; location / { root /usr/share/nginx/html/; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } server2.conf: |+ server { listen 81; server_name server2.com; location / { root /usr/share/nginx/html/; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } }
2.部署nginx业务使用对应的cm
apiVersion: apps/v1 kind: Deployment metadata: labels: version: v1 name: test-reload namespace: default spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app: test-reload template: metadata: labels: app: test-reload spec: containers: - image: nginx:latest imagePullPolicy: Always name: container-1 volumeMounts: - mountPath: /etc/nginx/conf.d name: vol-168233491311961268 - mountPath: /etc/nginx/nginx.conf name: vol-168249948123126427 readOnly: true subPath: nginx.conf dnsPolicy: ClusterFirst imagePullSecrets: - name: default-secret restartPolicy: Always volumes: - configMap: defaultMode: 420 name: nginx-server-config name: vol-168233491311961268 - configMap: defaultMode: 420 name: nginx-config name: vol-168249948123126427
subpath拓展
subpath的作用如下:
- 避免覆盖。如果挂载路径是一个已存在的目录,则目录下的内容不会被覆盖。直接将configMap/Secret挂载在容器的路径,会覆盖掉容器路径下原有的文件,使用subpath选定configMap/Secret的指定的key-value挂载在容器中,则不会覆盖掉原目录下的其他文件
- 文件隔离。pod中含有多个容器公用一个日志volume,不同容器日志路径挂载的到不同的子目录,而不是根路径(Subpath目录会在底层存储自动创建且权限为777,无需手动创建)
避免覆盖效果演示
1.创建一个工作负载nginx,并用普通方式挂载configmap配置文件
apiVersion: v1 kind: ConfigMap metadata: name: config data: test-subpath.conf: |+ test subpath; --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: test name: test spec: replicas: 1 selector: matchLabels: app: test template: metadata: labels: app: test spec: volumes: - configMap: defaultMode: 420 name: config name: vol-168249948123126427 containers: - image: centos:latest name: centos command: - /bin/bash args: - -c - while true;do sleep 1 && echo hello;done volumeMounts: - mountPath: /tmp name: vol-168249948123126427
2.使用docker inspect ${容器id}命令查看容器挂载信息,挂载目标为tmp目录,tmp目录下原有内容被覆盖
[root@test-746c64649c-pzztn /]# ls -l /tmp/ total 0 lrwxrwxrwx 1 root root 24 Feb 27 03:02 test-subpath.conf -> ..data/test-subpath.conf
3.创建一个工作负载nginx,并用subpath方式挂载configmap配置文件
apiVersion: v1 kind: ConfigMap metadata: name: config data: test-subpath.conf: |+ test subpath; --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: test name: test spec: replicas: 1 selector: matchLabels: app: test template: metadata: labels: app: test spec: volumes: - configMap: defaultMode: 420 name: config name: vol-168249948123126427 containers: - image: centos:latest name: centos command: - /bin/bash args: - -c - while true;do sleep 1 && echo hello;done volumeMounts: - mountPath: /tmp/test-subpath.conf name: vol-168249948123126427 subPath: test-subpath.conf
4.使用docker inspect ${容器Id}命令查看容器挂载信息,挂载目标为test-subpath.conf文件,所以tmp目录下原来的文件不会被覆盖
[root@test-7b64fd6bb-56lpp /]# ls -l /tmp/ total 12 -rwx------ 1 root root 701 Dec 4 2020 ks-script-esd4my7v -rwx------ 1 root root 671 Dec 4 2020 ks-script-eusq_sc5 -rw-r--r-- 1 root root 14 Feb 27 03:07 test-subpath.conf
文件隔离演示
1.创建工作负载test,使用hostPath卷类型持久化日志文件
apiVersion: apps/v1 kind: Deployment metadata: labels: app: test name: test spec: replicas: 2 selector: matchLabels: app: test template: metadata: labels: app: test spec: volumes: - hostPath: path: /tmp/log #该路径必须在节点上已存在 name: vol-168249948123126427 containers: - image: centos:latest name: centos env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name command: - /bin/bash args: - -c - while true;do echo $(POD_NAME) >> /tmp/log/app.log && sleep 900 ;done volumeMounts: - mountPath: /tmp/log name: vol-168249948123126427 subPathExpr: $(POD_NAME)
2.两个Pod实例调度至同一个节点
[root@test ~]# kubectl get pod -owide -l app=test NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES test-69dfc665cd-2nhg5 1/1 Running 0 95s 172.16.4.59 172.16.2.172test-69dfc665cd-z7rsj 1/1 Running 0 77s 172.16.4.25 172.16.2.172
3.进入容器内查看日志文件
[root@test ~]# kubectl exec -it test-69dfc665cd-2nhg5 bash [root@test-69dfc665cd-2nhg5 /]# cat /tmp/log/app.log test-69dfc665cd-2nhg5 [root@test-69dfc665cd-2nhg5 /]# exit exit [root@test ~]# kubectl exec -it test-69dfc665cd-z7rsj bash [root@test-69dfc665cd-z7rsj /]# cat /tmp/log/app.log test-69dfc665cd-z7rsj
4.在节点上查看挂载路径,每个Pod的日志文件用目录进行隔离,目录名为Pod名称
[root@172 log]# pwd /tmp/log [root@172 log]# ll total 0 drwxr-xr-x 2 root root 60 Feb 27 15:08 test-69dfc665cd-2nhg5 drwxr-xr-x 2 root root 60 Feb 27 15:09 test-69dfc665cd-z7rsj [root@172 log]# cat test-69dfc665cd-2nhg5/app.log test-69dfc665cd-2nhg5 [root@172 log]# cat test-69dfc665cd-z7rsj/app.log test-69dfc665cd-z7rsj