带有'-user'的Docker无法写入具有不同所有权的卷 [英] Docker with '--user' can not write to volume with different ownership

问题描述

为了使docker正常工作，我在各种权限组合方面都做了很多工作，但是...首先，我的环境是:

I've played a lot with any rights combinations to make docker to work, but... at first my environment:

Ubuntu Linux 15.04和Docker版本1.5.0，构建a8a31ef.

Ubuntu linux 15.04 and Docker version 1.5.0, build a8a31ef.

我有一个目录'/test/dockervolume'，组用户中有两个用户user1和user2

I have a directory '/test/dockervolume' and two users user1 and user2 in a group users

chown user1.users /test/dockervolume
chmod 775 /test/dockervolume
ls -la
drwxrwxr-x  2 user1 users 4096 Oct 11 11:57 dockervolume

user1和user2都可以在此目录中写入删除文件.我使用标准的docker ubuntu:15.04映像.用户1的ID为1000，用户2的ID为1002.

Either user1 and user2 can write delete files in this directory. I use standard docker ubuntu:15.04 image. user1 has id 1000 and user2 has id 1002.

我用下一条命令运行docker:

I run docker with next command:

docker run -it --volume=/test/dcokervolume:/tmp/job_output --user=1000 --workdir=/tmp/job_output ubuntu:15.04 

在docker内部，我只是执行简单的触摸测试"，它适用于ID为1000的user1.当我以--user 1002运行docker时，我无法写入该目录:

Within docker I just do simple 'touch test' and it works for user1 with id 1000. When I run docker with --user 1002 I can't write to that directory:

I have no name!@6c5e03f4b3a3:/tmp/job_output$ touch test2
touch: cannot touch 'test2': Permission denied
I have no name!@6c5e03f4b3a3:/tmp/job_output$ 

请注意，如果不在docker中，则两个用户都可以写入该目录.

Just to be clear both users can write to that directory if not in docker.

所以我的问题是docker设计的这种行为，还是一个错误，或者我错过了手册中的某些内容?

So my question is this behavior by docker design or it is a bug or I missed something in the manual?

推荐答案

docker的--user参数仅更改id，而不更改docker中的组id.因此，在docker中，我有:

docker's --user parameter changes just id not a group id within a docker. So, within a docker I have:

id
uid=1002 gid=0(root) groups=0(root)

它与原始系统中的组= 1000(用户)的情况不同

and it is not like in original system where I have groups=1000(users)

因此，一种解决方法可能是将passwd和组文件映射到docker中.

So, one workaround might be mapping passwd and group files into a docker.

-v /etc/docker/passwd:/etc/passwd:ro -v /etc/docker/group:/etc/group:ro

另一个想法是映射运行--user拥有的tmp目录，并在docker工作完成时将文件复制到最终位置

The other idea is to map a tmp directory owned by running --user and when docker's work is complete copy files to a final location

 TMPFILE=`mktemp`; docker run -v $TMPFILE:/working_dir/ --user=$(id -u); cp $TMPDIR $NEWDIR

此讨论了解docker中的用户文件所有权:如何避免更改链接卷的权限使我的问题有所启发.

This discussion Understanding user file ownership in docker: how to avoid changing permissions of linked volumes brings some light to my question.

这篇关于带有'-user'的Docker无法写入具有不同所有权的卷的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！