Docker userns-remap无法写入已挂载目录 [英] Docker userns-remap cannot write to mounted directory

问题描述

我正在尝试使用Docker的 userns-remap 功能来创建容器中以root用户身份存储的文件，并在主机上以test用户身份拥有此文件的所有者.

I am trying out the userns-remap feature of Docker to create a file inside a container as root user and have the owner of this file as test user on the host.

我已将以下内容添加到/etc/docker/daemon.json

I've added the following to the /etc/docker/daemon.json

{
  "userns-remap": "test:test"
}

重新映射似乎是根据守护程序日志进行的

The remapping seems to have taken place based on the daemon logs

User namespaces: ID ranges will be mapped to subuid/subgid ranges of: test:test

以及条目test:100000:65536和test:100000:65536已分别添加到/etc/subuid和/etc/subgid/文件中.

and the entries test:100000:65536 and test:100000:65536 have been added to /etc/subuid and /etc/subgid/ files, respectively.

但是当我启动一个容器并尝试在工作目录中创建文件时，它会失败

But when I start a container and try to create a file in the working dir, it fails

test@box:~$ docker run -v /home/test/tmp:/somedir -w /somedir -it ubuntu:16.04 /bin/bash
root@11ff6c42ffe1:/somedir# touch file.txt
touch: cannot touch 'file.txt': Permission denied

root@11ff6c42ffe1:/somedir# ls -l
total 0
-rw-rw-r-- 1 nobody nogroup 0 Mar 23 21:39 already_existing_file.txt

root@11ff6c42ffe1:/somedir# id root
uid=0(root) gid=0(root) groups=0(root)

root@11ff6c42ffe1:/somedir# touch /file.txt

在其他未从主机挂载的目录中创建文件，按预期进行.

Creating the file in some other directory that is not mounted from the host works as expected.

此外，如果将777权限授予安装的目录(在本例中为主机上的/home/test/tmp )，则可以从容器内部成功创建文件.但是，新创建的文件在主机上具有以下权限:

Also, if 777 permission is granted to the mounted directory, in this case /home/test/tmp on the host, file can be created successfully from inside the container. However, the newly created file has the following permissions on the host:

ls -l /home/test/tmp
total 0
-rw-r--r-- 1 165536 165536 0 march 29 01:36 file.txt 

ID为165536的用户不存在于/etc/passwd中，这使我们重新开始.我希望容器内的 root 用户与主机上的 test 用户具有相同的权限，并且希望 root 用户创建的文件容器中的主机具有使用userns-remap映射的主机，即 test .

User with id 165536 is not present in the /etc/passwd which brings us back to the start. I would expect that the root user inside the container has the same permissions as the test user on the host and that the files created by root user in the container have the owner on the host that is mapped using userns-remap, i.e. test.

在文档那个

...如果从主机装入卷，则文件所有权必须为 预先安排需要读取或写入卷内容.

...if volumes are mounted from the host, file ownership must be pre-arranged need read or write access to the volume contents.

...一个值得注意的限制是无法使用mknod命令. 运行时拒绝在容器内创建设备的权限 由root用户.

... One notable restriction is the inability to use the mknod command. Permission is denied for device creation within the container when run by the root user.

这是否意味着容器中的 root 用户无法在已安装目录中创建文件/目录，即使已安装目录的所有者是 root 所映射的用户可以使用userns-remap，在这种情况下为 test ?

Does this mean that root user inside the container cannot create files/directories inside the mounted directory, even though the owner of the mounted directory is the user that root maps to using userns-remap, in this case test?

有什么想法可以使用户也可以在容器内写入工作目录?

Any ideas how to make the working directory also writable by the user inside the container?

Docker版本:18.03.0
Ubuntu版本:16.04.1
内核版本:通用4.13.0-36

Docker version: 18.03.0
Ubuntu version: 16.04.1
Kernel version: 4.13.0-36-generic

复制步骤

sudo adduser test
sudo usermod -aG docker test
sudo echo '{ "userns-remap": "test"}' >> /etc/docker/daemon.json
service docker restart
su - test
mkdir tmp
docker run -v /home/test/tmp:/somedir ubuntu:16.04 touch /somedir/file.txt

这里有一些类似的问题，但并不完全相同，因为我想在不修改Dockerfile的情况下完成这项工作:

Here are some similar questions, but not quite the same, as I would like to make this work without modifying the Dockerfile:

• Docker和- -userns-remap，如何管理在主机和容器之间共享数据的卷权限? >
• docker non-root bind-mount许可，WITH- -userns-remap
• 可以我可以控制docker映像中绑定安装的卷的所有者吗?
• Docker可以'除非具有777权限，否则请写入使用-v挂载的目录

• Docker and --userns-remap, how to manage volume permissions to share data between host and container? - exactly what is asked in this question, too, but there was no answer for 2 years, so keeping this question open
• docker non-root bind-mount permissions, WITH --userns-remap
• Can I control the owner of a bind-mounted volume in a docker image?
• Docker can't write to directory mounted using -v unless it has 777 permissions

推荐答案

回答您的问题，最好的方法是使用docker引擎的用户名称空间"功能.

to answer your question, the best way is to use 'user namespace' feature of the docker engine.

这是使用方法的示例. 假设您的主机用户是ID为3000

here's an example of how to use. let's say your host user is myuser with id 3000

将myuser:3000:65536添加到您的/etc/subuid 和/etc/subgid 文件

使用以下命令更新您的/etc/docker/daemon.json:

update your /etc/docker/daemon.json with this:

{
  "userns-remap": "myuser"
} 

别忘了重启您的docker引擎:)

don't forget to restart your docker engine :)

就是这样，属于您的myuser本地帐户的所有文件都将属于ID 0是您的容器，相反的情况也是如此.

and that's it , all files belonging to your myuser local account will belong to id 0 is your container and the opposite will true as well.

这应该可以帮助您解决问题.

This should help you fix your issue.

让我知道

这篇关于Docker userns-remap无法写入已挂载目录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！