我有一个具有特定业务逻辑的 python Azure 函数。
在 Dockerfile 中,我想以非 root 用户身份运行容器,因此我执行了以下操作:
FROM mcr.microsoft.com/azure-functions/python:3.0-python3.8
.
.
.
RUN useradd -u 1001 -m fem-downloader
RUN chown -R 1001:1001 /home/
# I Changed the AzureWebJobsScriptRoot value to this new user path
ENV AzureWebJobsScriptRoot=/home/fem-downloader/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true
USER fem-downloader
COPY --chown=fem-downloader:fem-downloader requirements.txt requirements.txt
RUN pip install -r requirements.txt
COPY --chown=fem-downloader:fem-downloader . /home/fem-downloader/wwwroot
WORKDIR /home/fem-downloader/wwwroot/HttpTrigger/
ENV PATH="/home/fem-downloader/.local/bin:/home/.local/bin:${PATH}"
RUN pip install pytest && python3 -m pytest --verbose
当我在本地运行 Azure 函数时,它可以工作:
docker run -ti -p 8001:80 --name my-azure-function my-azure-function:nonroot
info: Host.Startup[0]
Found the following functions:
Host.Functions.HttpTrigger
info: Microsoft.Azure.WebJobs.Script.WebHost.WebScriptHostHttpRoutesManager[0]
Initializing function HTTP routes
Mapped function route 'api/HttpTrigger' [post] to 'HttpTrigger'
info: Host.Startup[412]
Host initialized (202ms)
info: Host.Startup[413]
Host started (211ms)
info: Host.Startup[0]
Job host started
Hosting environment: Production
Content root path: /home/my-project/wwwroot/HttpTrigger
Now listening on: http://[::]:80
Application started. Press Ctrl+C to shut down.
info: Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcFunctionInvocationDispatcher[0]
Worker process started and initialized.
info: Host.General[316]
Host lock lease acquired by instance ID '00000000000000000000000043EEAD9A'.
即使我通过发送期望的参数来测试它:
> curl -X POST http://localhost:8001/ -d "stream_id=XXXX&file_type=SCIA&server_url=https://aaaa.bbbbb.cccccc.digital"
<!DOCTYPE html>
<html>
<head>
<title>Your Azure Function App is up and running.</title>
<style type="text/css">
@font-face {
font-family: 'SegoeLight';
src: url(//:) format('no404'), url(data:font/woff;charset=utf-8;base64,d09GRgABAAAAAFbcABAAAAAAjewAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABGRlRNAAABbAAAABsAAAAcWqtaPUdERUYAAAGIAAAAHQAAACABGAADT1MvMgAAAagAAABYAAAAYGrqcLZjbWFwAAACAAAAAaIAAAIKczqUA2N2dCAAAAOkAAAATAAAAEwOEAwRZnBnbQAAA/AAAAGxAAACZQ+0L6dnYXNwAAAFpAAAAAwAAAAMAAMAB2dseWYAAAWwAABJAAAAe3CDYeDNaGVhZAAATrAAAAAxAAAANv
但是当我将其部署在 Azure 上时,我检查了日志:
2021-02-12T21:42:12.204812448Z warn: Host.Startup[0]
2021-02-12T21:42:12.205484355Z No job functions found. Try making your job classes and methods public. If you're using binding extensions (e.g. Azure Storage, ServiceBus, Timers, etc.) make sure you've called the registration method for the extension(s) in your startup code (e.g. builder.AddAzureStorage(), builder.AddServiceBus(), builder.AddTimers(), etc.).
2021-02-12T21:42:12.212736520Z info: Microsoft.Azure.WebJobs.Script.WebHost.WebScriptHostHttpRoutesManager[0]
2021-02-12T21:42:12.212758420Z Initializing function HTTP routes
2021-02-12T21:42:12.212763520Z No HTTP routes mapped
2021-02-12T21:42:12.204812448Z warn: Host.Startup[0]
2021-02-12T21:42:12.205484355Z No job functions found. Try making your job classes and methods public. If you're using binding extensions (e.g. Azure Storage, ServiceBus, Timers, etc.) make sure you've called the registration method for the extension(s) in your startup code (e.g. builder.AddAzureStorage(), builder.AddServiceBus(), builder.AddTimers(), etc.).
2021-02-12T21:42:12.212736520Z info: Microsoft.Azure.WebJobs.Script.WebHost.WebScriptHostHttpRoutesManager[0]
2021-02-12T21:42:12.212758420Z Initializing function HTTP routes
2021-02-12T21:42:12.212763520Z No HTTP routes mapped
该套接字地址错误是因为容器无法初始化,这是由于我提供的 AzureWebJobsScriptRoot 的配置值所致,我的意思是路由的更改。
ENV AzureWebJobsScriptRoot=/home/fem-downloader/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true
继续阅读,我发现 this issue
it doesn't seem like Azure is honoring the AzureWebJobsScriptRoot setting. If I set it to something like D:\home\site\wwwroot\foo, it is still loading functions from D:\home\site\wwwroot (even though I have host.json and function folders under D:\home\site\wwwroot\foo).
The setting seems to work correctly in local environments, but not on Azure.
寻找at the azure function host project ,默认情况下,WebHostScriptPath 配置如下:Data[WebHostScriptPathProperty] = Path.Combine(home, "site", "wwwroot");
config settings也确认一下。
正如他们在该问题中讨论的那样,Azure 似乎有充分的理由不允许更改此 AzureWebJobsScriptRoot 值。
更新
即使我尝试将此路径设置为默认值,另一方面,与非 root 用户一起为其授予对该路径 (/home/site/wwwroot) 的权限这样没有成功:
FROM mcr.microsoft.com/azure-functions/python:3.0-python3.8
RUN useradd -u 1001 -m fem-downloader
RUN chown -R 1001:1001 /home/
# ENV AzureWebJobsScriptRoot=/home/fem-downloader/wwwroot \
# AzureFunctionsJobHost__Logging__Console__IsEnabled=true
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true
USER fem-downloader
COPY --chown=fem-downloader:fem-downloader requirements.txt requirements.txt
RUN pip install -r requirements.txt
# COPY --chown=fem-downloader:fem-downloader . /home/fem-downloader/wwwroot
COPY --chown=fem-downloader:fem-downloader . /home/site/wwwroot
# WORKDIR /home/fem-downloader/wwwroot/HttpTrigger/
WORKDIR /home/site/wwwroot/HttpTrigger/
# ENV PATH="/home/fem-downloader/.local/bin:/home/.local/bin:${PATH}"
ENV PATH="/home/site/.local/bin:/home/.local/bin:${PATH}"
RUN pip install pytest && python3 -m pytest --verbose
当该函数部署在 Azure 上时,我得到了相同的结果。
这个主题很可能可以通过权限进行管理,因此我决定通过访问创建的容器来检查目录上的现有权限,我们得到了755,因此用户的所有权限,执行,并为组和其他人读取:
fem-downloader@cdf0ec64f1ce:~$ pwd
/home
fem-downloader@cdf0ec64f1ce:~$ ls -all
total 48
drwxr-xr-x 1 fem-downloader fem-downloader 4096 Feb 15 12:36 .
drwxr-xr-x 1 root root 4096 Feb 15 12:36 ..
drwxr-xr-x 3 fem-downloader fem-downloader 4096 Feb 15 12:36 .aspnet
drwxr-xr-x 1 fem-downloader fem-downloader 4096 Feb 15 10:46 .cache
drwx------ 1 fem-downloader fem-downloader 4096 Feb 15 10:47 .local
drwxr-xr-x 3 fem-downloader fem-downloader 4096 Feb 15 12:36 LogFiles
drwxr-xr-x 1 fem-downloader fem-downloader 4096 Feb 12 20:25 fem-downloader
# /home/site directory
drwxr-xr-x 1 fem-downloader fem-downloader 4096 Feb 15 10:47 site
fem-downloader@cdf0ec64f1ce:~$
检查/home/site/目录的权限:
fem-downloader@cdf0ec64f1ce:~$ stat -c "%a %A" site
755 drwxr-xr-x
fem-downloader@cdf0ec64f1ce:~$
检查/home/site/wwwroot/目录的权限:
fem-downloader@cdf0ec64f1ce:~/site$ stat -c "%a %A" wwwroot/
755 drwxr-xr-x
fem-downloader@cdf0ec64f1ce:~/site$
我在 azure 上成功部署该功能的唯一方法是以 root 用户身份运行我的容器:
# Intermediate stage when installing pip packages and other requirements
.
.
FROM mcr.microsoft.com/azure-functions/python:3.0-python3.8
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
AzureFunctionsJobHost__Logging__Console__IsEnabled=true
COPY --from=intermediate /usr/local/lib/python3.8/site-packages/ /usr/local/lib/python3.8/site-packages/
ADD requirements.txt /
RUN pip install -r /requirements.txt
ADD . /home/site/wwwroot
WORKDIR /home/site/wwwroot/HttpTrigger/
RUN pip install pytest && pytest --verbose
然后该函数设法联系存储帐户以下载我们在上面完成的请求中指示的资源:
***"container": "xxxx", "file_name": "PNd5efdCf-SCIA-xxxxxxx.zip", "sas_url": "abc0spec0test0xxxdwblob0.blob.core.windows.net/xxx/PNd5efdCf-SCIA-xxxxxxx.zip?sv=2018-03-28&ss=b&srt=co&sp=r&se=2021-02-12T19%3A45%3A28Z&st=2021-02-12T18%3A40%3A28Z&spr=https&sig=xxxxxxxxxxxxxxxxxx
我只是想在这里提供尽可能多的细节,只是为了看看是否有人经历过同样的事情。
不确定从 Dockerfile 的角度来看我是否可以做一些事情来欺骗 Azure 配置设置,看起来不行,但问题是我不想以 root 身份运行我的容器用户
更改 AzureWebJobsScriptRoot 变量似乎没有什么可做的吗?
最佳答案
您是否在 ASE(应用服务环境)中运行?看起来仅当您在 ASE 中执行时,该值才会设置为 Path.Combine(home, "site", "wwwroot")。如果您不在 ASE 中,则值 should be read from the variable
GetEnvironmentVariable(EnvironmentSettingNames.AzureWebJobsScriptRoot);
话虽如此,这似乎是一个问题 being investigated (或至少已记录)此刻。
解决该问题的一种方法(尽管我知道这不是最佳方法)是通过设置 function access level 来处理函数外部的身份验证问题。 。在这种情况下(当 Azure 完成安全检查时),该函数无需创建非 root 用户(该用户已经为您工作)作为 Azure 使用的默认用户即可运行。
关于python - 容器化 Azure 函数 - 从 Dockerfile 更改 AzureWebJobsScriptRoot 变量,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/66179732/