Docker,将卷挂载为只读 [英] Docker, mount volumes as readonly
问题描述
我正在使用Docker,并且我想安装一个动态文件夹,该文件夹会发生很大变化(因此,我不必为每次执行都制作一个Docker映像,这会太昂贵),但是我希望该文件夹成为只读。将文件夹所有者更改为其他人可行。但是, chown 需要 root 访问权限,我希望不公开该应用程序。
I am working with Docker, and I want to mount a dynamic folder that changes a lot (so I would not have to make a Docker image for each execution, which would be too costly), but I want that folder to be read-only. Changing the folder owner to someone else works. However, chown requires root access, which I would prefer not to expose to an application.
当我使用 -v 标志进行挂载时,它会提供我提供的用户名,因此我创建了一个非但是,在docker映像内的root用户中,该卷中的所有文件(拥有者是运行docker的用户)都变成了我从命令行提供的用户,因此我无法创建只读文件和文件夹。我该如何预防?
When I use -v flag to mount, it gives whatever the username I give, I created a non-root user inside the docker image, however, all the files in the volume with the owner as the user that ran docker, changes into the user I give from the command line, so I cannot make read-only files and folders. How can I prevent this?
我还添加了 mustafa ALL =(docker)NOPASSWD:/ usr / bin / docker ,所以我可以更改通过终端访问另一个用户,但文件仍然具有我的用户的权限。
I also added mustafa ALL=(docker) NOPASSWD: /usr/bin/docker, so I could change to another user via terminal, but still, the files have permissions for my user.
推荐答案
您可以指定一个卷应为通过将:ro 附加到 -v 开关以只读:
You can specify that a volume should be read-only by appending :ro to the -v switch:
docker run -v volume-name:/path/in/container:ro my/image
请注意,然后该文件夹在容器中是只读的,并且在主机上是可读写的。
Note that the folder is then read-only in the container and read-write on the host.
根据使用卷文档 ,现在还有另一种使用-mount 开关安装卷的方法。以下是如何通过只读方式使用它:
According to the Use volumes documentation, there is now another way to mount volumes by using the --mount switch. Here is how to utilize that with read-only:
$ docker run --mount source=volume-name,destination=/path/in/container,readonly my/image
docker-compose
这里有一个示例,说明如何在 docker-compose 中指定只读容器:
version: "3"
services:
redis:
image: redis:alpine
read_only: true
这篇关于Docker,将卷挂载为只读的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
