带有'-user'的Docker无法写入具有不同所有权的卷 [英] Docker with '--user' can not write to volume with different ownership
问题描述
为了使docker正常工作,我在各种权限组合方面都做了很多工作,但是...首先,我的环境是:
I've played a lot with any rights combinations to make docker to work, but... at first my environment:
Ubuntu Linux 15.04和Docker版本1.5.0,构建a8a31ef.
Ubuntu linux 15.04 and Docker version 1.5.0, build a8a31ef.
我有一个目录'/test/dockervolume',组用户中有两个用户user1和user2
I have a directory '/test/dockervolume' and two users user1 and user2 in a group users
chown user1.users /test/dockervolume
chmod 775 /test/dockervolume
ls -la
drwxrwxr-x 2 user1 users 4096 Oct 11 11:57 dockervolume
user1和user2都可以在此目录中写入删除文件.我使用标准的docker ubuntu:15.04映像.用户1的ID为1000,用户2的ID为1002.
Either user1 and user2 can write delete files in this directory. I use standard docker ubuntu:15.04 image. user1 has id 1000 and user2 has id 1002.
我用下一条命令运行docker:
I run docker with next command:
docker run -it --volume=/test/dcokervolume:/tmp/job_output --user=1000 --workdir=/tmp/job_output ubuntu:15.04
在docker内部,我只是执行简单的触摸测试",它适用于ID为1000的user1.当我以--user 1002运行docker时,我无法写入该目录:
Within docker I just do simple 'touch test' and it works for user1 with id 1000. When I run docker with --user 1002 I can't write to that directory:
I have no name!@6c5e03f4b3a3:/tmp/job_output$ touch test2
touch: cannot touch 'test2': Permission denied
I have no name!@6c5e03f4b3a3:/tmp/job_output$
请注意,如果不在docker中,则两个用户都可以写入该目录.
Just to be clear both users can write to that directory if not in docker.
所以我的问题是docker设计的这种行为,还是一个错误,或者我错过了手册中的某些内容?
So my question is this behavior by docker design or it is a bug or I missed something in the manual?
推荐答案
docker的--user参数仅更改id,而不更改docker中的组id.因此,在docker中,我有:
docker's --user parameter changes just id not a group id within a docker. So, within a docker I have:
id
uid=1002 gid=0(root) groups=0(root)
它与原始系统中的组= 1000(用户)的情况不同
and it is not like in original system where I have groups=1000(users)
因此,一种解决方法可能是将passwd和组文件映射到docker中.
So, one workaround might be mapping passwd and group files into a docker.
-v /etc/docker/passwd:/etc/passwd:ro -v /etc/docker/group:/etc/group:ro
另一个想法是映射运行--user拥有的tmp目录,并在docker工作完成时将文件复制到最终位置
The other idea is to map a tmp directory owned by running --user and when docker's work is complete copy files to a final location
TMPFILE=`mktemp`; docker run -v $TMPFILE:/working_dir/ --user=$(id -u); cp $TMPDIR $NEWDIR
此讨论了解docker中的用户文件所有权:如何避免更改链接卷的权限使我的问题有所启发.
This discussion Understanding user file ownership in docker: how to avoid changing permissions of linked volumes brings some light to my question.
这篇关于带有'-user'的Docker无法写入具有不同所有权的卷的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!