sonatype nexus docker卷错误 [英] sonatype nexus docker volume error
问题描述
我正在尝试使用docker安装sonatype-nexus,并希望与主机(linux ubuntu 14.04)/opt/nexus共享docker /opt/sonatype-work nexus repo.
我的dockerfile:
FROM centos:6
MAINTAINER Marcel Birkner <marcel.birkner@codecentric.de>
USER root
# Update the system
RUN yum -y update; \
yum clean all
##########################################################
# Install Java JDK, SSH and other useful cmdline utilities
##########################################################
RUN yum -y install java-1.7.0-openjdk-devel \
which \
telnet \
unzip \
openssh-server \
sudo \
openssh-clients \
iputils \
iproute \
httpd-tools \
wget \
tar; \
yum clean all
ENV JAVA_HOME /usr/lib/jvm/jre
##########################################################
# Install Nexus
##########################################################
RUN mkdir -p /opt/sonatype-nexus /opt/sonatype-work
RUN wget -O /tmp/nexus-latest-bundle.tar.gz http://www.sonatype.org/downloads/nexus-latest-bundle.tar.gz
RUN tar xzvf /tmp/nexus-latest-bundle.tar.gz -C /opt/sonatype-nexus --strip-components=1
RUN useradd --user-group --system --home-dir /opt/sonatype-nexus nexus
ADD nexus.xml /opt/sonatype-work/nexus/conf/nexus.xml
RUN chown -R nexus:nexus /opt/sonatype-work /opt/sonatype-nexus
ENV NEXUS_WEBAPP_CONTEXT_PATH /nexus
RUN echo "#!/bin/bash" > /opt/start-nexus.sh
RUN echo "su -c \"/opt/sonatype-nexus/bin/nexus console\" - nexus" >> /opt/start-nexus.sh
RUN chmod +x /opt/start-nexus.sh
VOLUME /opt/sonatype-work
CMD ["/opt/start-nexus.sh"]
EXPOSE 8081
当我构建此映像时(构建成功):
docker build -t sonatype/nexus .
然后我通过以下命令运行它:
docker run -d -p 8081:8081 --name nexus -v /opt/nexus:/opt/sonatype-work sonatype/nexus
它立即开始和停止
显示错误(docker logs nexus):
nexus_1 | jvm 1 | Caused by: java.nio.file.AccessDeniedException: /opt/sonatype-work/nexus
nexus_1 | jvm 1 | at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:383) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at java.nio.file.Files.createDirectory(Files.java:630) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at java.nio.file.Files.createAndCheckIsDirectory(Files.java:734) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at java.nio.file.Files.createDirectories(Files.java:720) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at org.sonatype.nexus.util.file.DirSupport.mkdir(DirSupport.java:146) ~[na:na]
nexus_1 | jvm 1 | at org.sonatype.nexus.util.file.DirSupport.mkdir(DirSupport.java:162) ~[na:na]
nexus_1 | jvm 1 | at org.sonatype.nexus.webapp.WebappBootstrap.contextInitialized(WebappBootstrap.java:115) ~[na:na]
nexus_1 | jvm 1 | ... 16 common frames omitted
nexus_1 | wrapper | <-- Wrapper Stopped
如果我从dockerfile中删除了VOLUME /opt/sonatype-nexus,它就可以正常工作.
您知道什么可能导致此问题吗?以及如何解决?
如果您将主机目录绑定安装在容器中,则主机目录中的文件和目录将具有优先权,并被挂载在容器内部已经存在的文件之上图像.换句话说,它们掩盖"了容器下面的内容.
绑定安装保留对主机上存在的目录的权限,如果主机上不存在目录,则Docker使用root:root作为所有者创建该目录.
查看Dockerfile中的useradd nexus,我怀疑start-nexus.sh与该用户运行关系,因此它可能没有对绑定安装目录(该目录由root拥有)的权限.您可以通过将目录chowning固定到容器内nexus的数字uid/gid来解决此问题.
要获取该用户的uid/gid,请以交互方式启动容器;
docker run -it --rm sonatype/nexus bash
在该shell内请求uid/gid:
id nexus
哪个会给你类似的东西
uid=123(nexus) gid=456(nexus) groups=456(nexus)
现在退出容器(exit),并使用uid/gid在主机上锁定目录;
sudo chown -R 123:456 /opt/nexus
我注意到的一些事情
您似乎正在构建自己的sonatype nexus图像的自定义版本,但使用的名称与正式图像(sonatype/nexus)相同.我建议您不要这样做,并给它起自己的名字(例如mycompany/nexus);这可以防止混乱,也可以防止自己的混乱
如果有人运行docker pull sonatype/nexus,则该图像将被正式图像覆盖.
有什么理由不使用官方图片吗?通常,建议使用正式映像,因为它们是由软件维护者维护的(在这种情况下为sonatype),因此应为您提供软件的最新版本(并维护). https://hub.docker.com/r/sonatype/nexus/
I'm triyng to install sonatype-nexus using docker and want to share docker /opt/sonatype-work nexus repo with host machine (linux ubuntu 14.04) /opt/nexus.
my dockerfile:
FROM centos:6
MAINTAINER Marcel Birkner <marcel.birkner@codecentric.de>
USER root
# Update the system
RUN yum -y update; \
yum clean all
##########################################################
# Install Java JDK, SSH and other useful cmdline utilities
##########################################################
RUN yum -y install java-1.7.0-openjdk-devel \
which \
telnet \
unzip \
openssh-server \
sudo \
openssh-clients \
iputils \
iproute \
httpd-tools \
wget \
tar; \
yum clean all
ENV JAVA_HOME /usr/lib/jvm/jre
##########################################################
# Install Nexus
##########################################################
RUN mkdir -p /opt/sonatype-nexus /opt/sonatype-work
RUN wget -O /tmp/nexus-latest-bundle.tar.gz http://www.sonatype.org/downloads/nexus-latest-bundle.tar.gz
RUN tar xzvf /tmp/nexus-latest-bundle.tar.gz -C /opt/sonatype-nexus --strip-components=1
RUN useradd --user-group --system --home-dir /opt/sonatype-nexus nexus
ADD nexus.xml /opt/sonatype-work/nexus/conf/nexus.xml
RUN chown -R nexus:nexus /opt/sonatype-work /opt/sonatype-nexus
ENV NEXUS_WEBAPP_CONTEXT_PATH /nexus
RUN echo "#!/bin/bash" > /opt/start-nexus.sh
RUN echo "su -c \"/opt/sonatype-nexus/bin/nexus console\" - nexus" >> /opt/start-nexus.sh
RUN chmod +x /opt/start-nexus.sh
VOLUME /opt/sonatype-work
CMD ["/opt/start-nexus.sh"]
EXPOSE 8081
when i build this image (build succeed) :
docker build -t sonatype/nexus .
then i run it by this command:
docker run -d -p 8081:8081 --name nexus -v /opt/nexus:/opt/sonatype-work sonatype/nexus
it started and stopped immediately
Error showed (docker logs nexus):
nexus_1 | jvm 1 | Caused by: java.nio.file.AccessDeniedException: /opt/sonatype-work/nexus
nexus_1 | jvm 1 | at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:383) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at java.nio.file.Files.createDirectory(Files.java:630) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at java.nio.file.Files.createAndCheckIsDirectory(Files.java:734) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at java.nio.file.Files.createDirectories(Files.java:720) ~[na:1.7.0_99]
nexus_1 | jvm 1 | at org.sonatype.nexus.util.file.DirSupport.mkdir(DirSupport.java:146) ~[na:na]
nexus_1 | jvm 1 | at org.sonatype.nexus.util.file.DirSupport.mkdir(DirSupport.java:162) ~[na:na]
nexus_1 | jvm 1 | at org.sonatype.nexus.webapp.WebappBootstrap.contextInitialized(WebappBootstrap.java:115) ~[na:na]
nexus_1 | jvm 1 | ... 16 common frames omitted
nexus_1 | wrapper | <-- Wrapper Stopped
and if i removed VOLUME /opt/sonatype-nexus from dockerfile it works fine.
do you have any idea what might caused this problem? and how to fix it?
If you bind-mount a host directory in a container, the files and directories in the host directory take precedence and are mounted over the files already present inside the container's image. In other words, they "mask" what's underneath in the container.
Bind-mounts keep their permissions of the directory that's present on the host, and if no directory is present on the host, Docker creates it, using root:root as owner.
Looking at the useradd nexus in your Dockerfile, I suspect that start-nexus.sh runs nexus with that user, so it may not have permissions on the bind-mounted directory (which is owned by root). You can fix this by chowning the directory to the numeric uid/gid of nexus inside the container.
To get the uid / gid of that user, start the container interactively;
docker run -it --rm sonatype/nexus bash
And inside that shell request the uid/gid:
id nexus
Which gives you something like:
uid=123(nexus) gid=456(nexus) groups=456(nexus)
Now exit the container (exit), and chown the directory on the host, using the uid/gid;
sudo chown -R 123:456 /opt/nexus
Some things I noticed
It looks like you're building your own custom version of the sonatype nexus image, but use the same name as the official image (sonatype/nexus). I'd recommend not doing that, and giving it your own name (e.g. mycompany/nexus); this prevents confusion, and also prevents your own
image to be overwritten with the official image if someone runs docker pull sonatype/nexus.
Is there any reason for not using the official image? In general it's recommended to use the official images, as they are maintained by the maintainers of the software (sonatype in this case), so should give you an up-to-date (and maintained) version of the software; https://hub.docker.com/r/sonatype/nexus/
这篇关于sonatype nexus docker卷错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
