Docker与'--user'不能写入不同所有权的卷 [英] Docker with '--user' can not write to volume with different ownership
问题描述
我已经玩了很多任何权利组合,使码头工作,但...起初我的环境:
Ubuntu linux 15.04和Docker版本1.5 .0,建立a8a31ef。
我有一个目录'/ test / dockervolume',一组用户中有两个用户user1和user2
chown user1.users / test / dockervolume
chmod 775 / test / dockervolume
ls -la
drwxrwxr-x 2 user1 users 4096 Oct 11 11:57 dockervolume
user1和user2可以在此目录中写入删除文件。
我使用标准的docker ubuntu:15.04图像。 user1的id为1000,user2为id 1002。
我运行docker与下一个命令:
docker run -it --volume = / test / dcokervolume:/ tmp / job_output --user = 1000 --workdir = / tmp / job_output ubuntu:15.04
在Docker中,我只是做简单的'touch test',它适用于id为1000的user1。当我使用--user 1002运行docker时,我不能写入该目录:
我没有名字!@ 6c5e03f4b3a3:/ tmp / job_output $ touch test2
touch:不能触摸'test2':Permission denied
我没有名字!@ 6c5e03f4b3a3:/ tmp / job_output $
只要清楚两个用户都可以写入该目录,如果不在docker中。
所以我的问题是这个Docker设计的行为,或者是一个bug或我错过了手册中的某些内容?
解决方案docker的--user参数只是在docker中更改id不是组ID。所以,在码头中我有:
id
uid = 1002 gid = 0(root)groups = 0 root)
它不像原来的系统中我有group = 1000(users)
所以,一个解决方法可能是将passwd和组文件映射到码头服务器。
-v / etc / docker / passwd:/ etc / passwd:ro -v / etc / docker / group:/ etc / group:ro
另一个想法是映射一个运行-user所拥有的tmp目录,当docker的工作完成后,将文件复制到最终位置
TMPFILE =`mktemp`; docker运行-v $ TMPFILE:/ working_dir / --user = $(id -u); cp $ TMPDIR $ NEWDIR
这个讨论了解docker中的用户文件所有权:如何避免更改链接卷的权限
I've played a lot with any rights combinations to make docker to work, but... at first my environment:
Ubuntu linux 15.04 and Docker version 1.5.0, build a8a31ef.
I have a directory '/test/dockervolume' and two users user1 and user2 in a group users
chown user1.users /test/dockervolume chmod 775 /test/dockervolume ls -la drwxrwxr-x 2 user1 users 4096 Oct 11 11:57 dockervolume
Either user1 and user2 can write delete files in this directory. I use standard docker ubuntu:15.04 image. user1 has id 1000 and user2 has id 1002.
I run docker with next command:
docker run -it --volume=/test/dcokervolume:/tmp/job_output --user=1000 --workdir=/tmp/job_output ubuntu:15.04
Within docker I just do simple 'touch test' and it works for user1 with id 1000. When I run docker with --user 1002 I can't write to that directory:
I have no name!@6c5e03f4b3a3:/tmp/job_output$ touch test2 touch: cannot touch 'test2': Permission denied I have no name!@6c5e03f4b3a3:/tmp/job_output$
Just to be clear both users can write to that directory if not in docker.
So my question is this behavior by docker design or it is a bug or I missed something in the manual?
解决方案docker's --user parameter changes just id not a group id within a docker. So, within a docker I have:
id uid=1002 gid=0(root) groups=0(root)
and it is not like in original system where I have groups=1000(users)
So, one workaround might be mapping passwd and group files into a docker.
-v /etc/docker/passwd:/etc/passwd:ro -v /etc/docker/group:/etc/group:ro
The other idea is to map a tmp directory owned by running --user and when docker's work is complete copy files to a final location
TMPFILE=`mktemp`; docker run -v $TMPFILE:/working_dir/ --user=$(id -u); cp $TMPDIR $NEWDIR
This discussion Understanding user file ownership in docker: how to avoid changing permissions of linked volumes brings some light to my question.
这篇关于Docker与'--user'不能写入不同所有权的卷的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!