将不存在的主机目录挂载到非根容器中 [英] Mount non-existing host directory into non-root container
问题描述
让我们说我有一个运行着非root用户用户的容器,我想将主机的卷目录绑定安装到该容器中。然后,容器将写入该目录。假设主机上的目录为 / tmp / container / data 。如果该路径在主机上不不存在,我观察到(由docker创建)所有权为 root 的路径。结果,容器无法将任何内容写入该目录(访问被拒绝),因为我的容器未以用户 root 运行。
Lets say I have a container running with a non-root user and I want to bind-mount a volume directory from the host into that container. The container then will write to that directory. Say, the directory on the host is /tmp/container/data. If that path does not exist on the host, I observe that it gets created (by docker) with ownership root. As a consequence the container is not able to write anything into that directory (access denied) because my container is not running with user root.
我当然可以在主机上创建具有正确权限的 / tmp / container / data 目录在启动容器之前,必须解决此问题,但是此解决方案显然无法扩展-我将不得不为每个要使用目录不存在的主机的绑定卷的容器进行此操作。
Of course I can take care of creating the /tmp/container/data directory with correct permissions on the host side before starting the container, but this solution obviously does not scale - I will have to do it for each and every container where I want to use a bind volume from the host for which the directory does not exist.
所以我的问题是,使用主机上的绑定卷对尚不存在的目录仍然允许非根容器具有对该卷的写访问权的最佳方法是什么。 p>
So my question is, what's the best way to use bind-volumes from the host for directories that do not yet exist while still let a non-root container have write access to the volume.
推荐答案
您准确地描述了docker的正常行为,来自docker引擎的不存在的绑定挂载将被初始化为拥有的空目录根。请注意,在群集模式下不会发生这种情况,它将无法在主机上安排容器。
You accurately described the normal behavior of docker, non-existent bind mounts from the docker engine will get initialized to an empty directory owned by root. Note that this doesn't happen with swarm mode, it will fail to schedule the container on the host instead.
用于避免这种情况的选项包括:
Options to use to avoid this include:
- 使用命名卷。这些被初始化为该位置映像中的目录权限。这就像将主机上的完整路径更改为卷的简称一样简单。
- 以root用户身份运行容器,并让入口点修复权限并在移交给用户之前启动应用程序。我最近在github上发布的 jenkins-docker 项目中完成了类似的操作。 / li>
- 在具有权限setuid-root的容器中包含脚本,该脚本执行目录的chown。
- Using named volumes. These get initialized to the directory permissions in the image at that location. This is as easy as changing the full path on the host to a short name of the volume.
- Run the container as root, and make the entrypoint fix the permissions and drop to the user before launching the application. Something similar to this is done in a jenkins-docker project I threw out on github recently.
- Include a script in the container with permissions setuid-root which performs the chown of the directory.
这篇关于将不存在的主机目录挂载到非根容器中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
