除非拥有777权限，否则Docker无法写入使用-v挂载的目录 [英] Docker can't write to directory mounted using -v unless it has 777 permissions

问题描述

我正在将 docker-solr 镜像与docker一起使用，并且我需要挂载目录在其中可以使用-v标志实现.

I am using the docker-solr image with docker, and I need to mount a directory inside it which I achieve using the -v flag.

问题是容器需要写入我已挂载到其中的目录，但除非我在整个目录上执行chmod 777，否则似乎没有执行此操作的权限.我不认为将权限设置为允许所有用户对其进行读写是解决方案，但这只是一个临时解决方法.

The problem is that the container needs to write to the directory that I have mounted into it, but doesn't appear to have the permissions to do so unless I do chmod 777 on the entire directory. I don't think setting the permission to allows all users to read and write to it is the solution, but just a temporary workaround.

有人可以指导我找到更规范的解决方案吗?

Can anyone guide me in finding a more canonical solution?

我一直在没有sudo的情况下运行docker，因为我将自己添加到了docker组中.我只是发现如果使用sudo运行docker即可解决问题，但是我很好奇是否还有其他解决方案.

I've been running docker without sudo because I added myself to the docker group. I just found that the problem is solved if I run docker with sudo, but I am curious if there are any other solutions.

推荐答案

最近，在浏览了一些正式的docker仓库之后，我意识到解决这些权限问题的更惯用的方法是使用

More recently, after looking through some official docker repositories I've realized the more idiomatic way to solve these permission problems is using something called gosu in tandem with an entry point script. For example if we take an existing docker project, for example solr, the same one I was having trouble with earlier.

Github上的 dockerfile 非常有效地构建了整个项目，但无权解决权限问题.

The dockerfile on Github very effectively builds the entire project, but does nothing to account for the permission problems.

因此，为了克服这个问题，首先我将gosu设置添加到了dockerfile中(如果您实现此通知，则版本1.4是硬编码的.您可以检查最新版本

So to overcome this, first I added the gosu setup to the dockerfile (if you implement this notice the version 1.4 is hardcoded. You can check for the latest releases here).

# grab gosu for easy step-down from root
RUN mkdir -p /home/solr \
    && gpg --keyserver pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
    && curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.4/gosu-$(dpkg --print-architecture)" \
    && curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.4/gosu-$(dpkg --print-architecture).asc" \
    && gpg --verify /usr/local/bin/gosu.asc \
    && rm /usr/local/bin/gosu.asc \
    && chmod +x /usr/local/bin/gosu

现在我们可以使用gosu了，它基本上与su或sudo完全相同，但是在docker上可以更好地工作.从gosu的描述中:

Now we can use gosu, which is basically the exact same as su or sudo, but works much more nicely with docker. From the description for gosu:

这是一个简单的工具，它源于su和sudo具有非常奇怪且经常令人讨厌的TTY和信号转发行为的简单事实.

This is a simple tool grown out of the simple fact that su and sudo have very strange and often annoying TTY and signal-forwarding behavior.

现在我对dockerfile所做的其他更改是添加以下行:

Now the other changes I made to the dockerfile were these adding these lines:

COPY solr_entrypoint.sh /sbin/entrypoint.sh
RUN chmod 755 /sbin/entrypoint.sh
ENTRYPOINT ["/sbin/entrypoint.sh"]

只是将我的入口点文件添加到docker容器中.

just to add my entrypoint file to the docker container.

并删除该行:

USER $SOLR_USER

因此，默认情况下，您是root用户. (这就是为什么我们必须从根目录降级).

So that by default you are the root user. (which is why we have gosu to step-down from root).

现在，对于我自己的入口点文件，我认为它编写得并不完美，但是确实可以完成工作.

Now as for my own entrypoint file, I don't think it's written perfectly, but it did the job.

#!/bin/bash

set -e

export PS1="\w:\u docker-solr-> "

# step down from root when just running the default start command
case "$1" in
    start)
        chown -R solr /opt/solr/server/solr
        exec gosu solr /opt/solr/bin/solr -f
    ;;
    *)
        exec $@
    ;;
esac

docker run命令采用以下形式:

A docker run command takes the form:

docker run <flags> <image-name> <passed in arguments>

基本上，入口点说，如果我想像往常一样运行solr，我们将参数start传递到命令的末尾，如下所示:

Basically the entrypoint says if I want to run solr as per usual we pass the argument start to the end of the command like this:

docker run <flags> <image-name> start

，然后以root用户身份运行传递的命令.

and otherwise run the commands you pass as root.

start选项 first 赋予solr用户对该目录的所有权，然后运行默认命令.之所以解决所有权问题，是因为与dockerfile设置(一次性的事情)不同，入口点每次运行一次.

The start option first gives the solr user ownership of the directories and then runs the default command. This solves the ownership problem because unlike the dockerfile setup, which is a one time thing, the entry point runs every single time.

因此，现在如果我使用-d标志挂载目录，则在入口点实际运行solr之前，它将为您整理docker容器的 inside 文件.

So now if I mount directories using the -d flag, before the entrypoint actually runs solr, it will chown the files inside of the docker container for you.

关于这对容器外的文件有什么影响，我得到的结果好坏参半，因为docker在OSX上表现得有些奇怪.对我来说，它不会更改容器外部的文件，但是在另一个操作系统上，docker更能很好地处理文件系统，它可能会在外部更改您的文件，但是我想这就是您必须处理的内容将文件挂载到容器中，而不仅仅是将文件复制到其中.

As for what this does to your files outside the container I've had mixed results because docker acts a little weird on OSX. For me, it didn't change the files outside of the container, but on another OS where docker plays more nicely with the filesystem, it might change your files outside, but I guess that's what you'll have to deal with if you want to mount files inside the container instead of just copying them in.

这篇关于除非拥有777权限，否则Docker无法写入使用-v挂载的目录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！