在卷上对CNB Docker映像进行写访问 [英] Write access on volume for CNB Docker image

问题描述

我正在开发一个应将其迁移到docker容器(用于在服务器上作为systemd服务运行)的Spring Boot应用程序该应用程序在文件系统上读写可配置的路径-现在让我们假设它是/var/mypath

I am working on a spring boot application that should be migrated into a docker container (used to run as a systemd service on a server) The app reads and writes a configurable path on the file system - lets for now assume it is /var/mypath

我使用了springs gradle插件中的 bootBuildImage 任务构建了一个docker镜像.它使用了看起来是默认的构建器映像，即 gcr.io/paketo-buildpacks/builder 来构建应用程序映像.

I built a docker image using the bootBuildImage task from springs gradle plugin. it used what appears to be the default builder image, namely gcr.io/paketo-buildpacks/builder to build the application image.

因此，在docker compose文件中，我定义了一个堆栈，其中包含(不重要的)mysql数据库和spring boot应用程序，如下所示:

Consequently, in a docker compose file, I defined a stack, with the (unimportant) mysql db and the spring boot app like this:

version: "3.8"

services:
  backend_db:
    container_name: "backend_db"
    image: "mariadb:latest"
    # ...

  backend_app:
    depends_on:
      - "backend_db"
    container_name: "backend_app"
    image: "myImageName:latest"
    restart: always
    ports:
      - 8080:8080
    volumes:
      - "app:/var/mypath"
    environment:
      # mysql data etc...

volumes:
  db:
  app:

当我使用 docker-compose up 启动它时，spring-boot应用程序没有对/var/mypath 的写权限.我发现，显然CNB构建使spring应用程序以用户 cnb 的身份运行.我想，该卷是作为root创建的，只有root具有对此卷的写访问权.

When I start it up with docker-compose up, the spring-boot application does not have write access on /var/mypath. I figured out, that apparently the CNB build makes the spring application run as user cnb. I suppose, the volume is created as root and only root has write access to it.

手动小丑方法似乎不是最佳选择，因为我希望能够仅在服务器上 docker-compose up 并完成操作，而不是手动地但无论如何都要反复进行:我尝试从容器内 chown 到cnb用户的卷没有成功:

The manual-chown approach seems suboptimal, since I would have expected to be able to just docker-compose up on a server and be done, instead of manually chowning around but anyways: I have tried to chown the volume to the cnb user from within the container without success:

chown cnb/var/mypath/chown:更改"/var/mypath/"的所有权:不允许操作

chown cnb /var/mypath/ chown: changing ownership of '/var/mypath/': Operation not permitted

如何确定Spring Boot应用程序可以写入该卷?

How can I make sure, that the spring boot application can write the volume?

推荐答案

我毕竟设法对卷进行了chown/chgrp-我的错误是它不能在容器内工作(没有sudo)-但它可以工作从外部使用docker exec，指定root用户:

I managed to chown/chgrp the volume after all - my mistake was that it does not work from within the container (there is no sudo) - but it works from outside using docker exec, specifying the root user:

docker exec -u 0 -it backend_app chown cnb /var/mypath
docker exec -u 0 -it backend_app chgrp cnb /var/mypath

用户@Stuck还通过创建另一个docker-image层提出了一种更精细的方法:可以`bootBuildImage`创建可写卷?

User @Stuck also suggested a more elaborate approach by creating another docker-image layer: can `bootBuildImage` create writeable volumes?

Spring的Andy Wilkinson指出，这是Docker的一个普遍问题-因此，如果将来出现其他解决方案，我很高兴对此问题进行更新.

Andy Wilkinson from Spring pointed out that this is a general Docker issue - so if some other solution pops up in the future, I'm glad to update this question.

这篇关于在卷上对CNB Docker映像进行写访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！