Docker卷-需要权限才能写入数据库 [英] Docker volume - need permissions to write to database
问题描述
我正在使用Flask服务器(在python 3.5的virtualenv中)用作REST API(仅用于烧瓶建议的开发)。首先,它连接到本地sqlite数据库,并将尽快提交所有数据库更改。现在,我想在docker容器中运行所有内容,而我想知道如何访问数据库,因为sqlite文件位于容器中。
I'm working on a flask server (in a virtualenv with python 3.5) which is used as a REST API (only for development as suggested for flask). In the beginning it connects to a local sqlite database and it will commit any db changes as soon as possible. Now I wanted to run everything in a docker container and I was wondering how I can access the database because the sqlite file is located in the container.
所以我创建了一个卷在指向该应用程序的dockerfile的docker-compose文件中。
So I created a volume in a docker-compose file which points to the dockerfile building the application.
Dockerfile:
Dockerfile:
FROM python:latest
ENV HOME /home/parkrep
WORKDIR $HOME
ADD requirements.txt $HOME/requirements.txt
RUN pip install -r requirements.txt
ADD . $HOME
EXPOSE 80
CMD ["python", "server.py"]
.dockerignore
.dockerignore
__pycache__
venv
.gitignore
.dockerignore
README.md
Dockerfile
docker-compose.yml
docker-compose .yml
docker-compose.yml
version: '2'
services:
parkrep:
build:
context: ./
dockerfile: Dockerfile
volumes:
- ./output:/home/parkrep/output
command: ["python", "server.py"]
ports:
- "80:80"
如果我运行 docker-compose up 我得到以下内容
If I run docker-compose up I get the following
parkrep_1 | File "/home/parkrep/db_connector.py", line 45, in _connect_db
parkrep_1 | self._connection = sqlite3.connect(path, check_same_thread=False)
parkrep_1 | sqlite3.OperationalError: unable to open database file
parkrep_parkrep_1 exited with code 1
如果创建数据库output / reports.db并再次启动docker-compose,它返回以下错误:
If I create the database at output/reports.db and start docker-compose again, it returns the following error:
parkrep_1 | sqlite3.OperationalError: attempt to write a readonly database
因此,显然我没有写权限文件。我通过写入如下安装的测试文件来测试此行为:
So obviously I don't have permissions to write to the file. I tested this behavior by writing to a test file which is mounted like this:
...
volumes:
- ./output:/home/parkrep/output
- ./test.txt:/home/parkrep/text.txt
command: bash -c "echo 'hallo' > test.txt"
错误消息:
parkrep_1 | bash: text.txt: Permission denied
让我们看看谁拥有此文件:
Let's see who owns this file:
parkrep_1 | drwxr-xr-x 7 root root 4.0K Dec 19 10:45 .
parkrep_1 | -rw-rw-r-- 1 root root 143 Dec 12 15:08 config.yaml
parkrep_1 | -rw-rw-r-- 1 root root 7.9K Dec 12 14:37 db_connector.py
parkrep_1 | drwxrwxr-x 2 4262 4262 4.0K Dec 19 11:10 output
parkrep_1 | -rw-rw-r-- 1 root root 144 Dec 12 13:20 requirements.txt
parkrep_1 | -rw-rw-r-- 1 root root 2.7K Dec 19 10:14 server.py
parkrep_1 | -rw-rw-r-- 1 4262 4262 2.7K Dec 19 10:14 test.txt
事实证明,容器中没有用户4262,但是在主机上,我的用户帐户具有此ID。所以我想我知道问题出在哪里,但是我不知道如何访问这些文件。我曾尝试在卷定义中添加:rw,但我仍然没有写权限。我如何告诉docker如果定义了卷,则不要更改文件/目录所有者。
It turns out that there is no user 4262 in the container but on the host machine my user account has this id. So I think I know what the problem is now, but I have no clue how to get access to these files. I tried adding ":rw" to the volume definitions but I still don't have write permissions. How can I tell docker to not change the file/directory owner if a volume is defined.
我正在考虑本地卷驱动程序有问题,但也许有人否则已经有这个问题,可以告诉我如何配置我的图像以获取所需的权限。
I'm thinking of a problem with my local volume driver, but maybe someone else already had this problem and can tell me how to configure my image to get the required permissions.
问候,
托马斯
Greetings, Thomas
docker info
Containers: 1
Running: 0
Paused: 0
Stopped: 1
Images: 19
Server Version: 1.12.5
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 19
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: host bridge null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-53-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.56 GiB
Name: de3lxd-107769
ID: PU5F:LZ55:EEK7:W3R7:SYR3:336J:2VRH:35H2:MTLY:6Q6L:BWBP:EM5R
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
docker-compose -v
docker-compose version 1.9.0, build 2585387
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial
推荐答案
修补程序
我通过向所有人授予作者许可来解决此问题。
Hot fix
I fixed the problem by giving writer permission to everyone.
mkdir output
touch output/reports.db output/database.log
chmod a+rw output output/*
这将赋予主机上的用户和docker计算机上的root用户权限,无论谁拥有文件。这只是一个肮脏的解决方法,因为我必须快点。任何进程都可以访问和编辑/删除文件。最好是只有docker用户获得写权限,但我不能向主机上的root用户授予写权限。
This will give the user on the host machine and the root user in the docker machine permissions, no matter who owns the files. This is just a dirty fix, because I had to hurry up. Any process could access the and edit/delete the files. It would be better If only the docker user get's writing permission, but I couldn't give writer permission to the root user on the host machine.
在此帖子中,他们正在使用其他用户(www-data)在容器中。构建映像后,他们将获得用户的ID,并使用此ID替换当前的文件所有者。如果您以该用户(www-data)的身份启动容器,则挂载将复制具有权限和所有者信息的文件,以便用户可以读写这些文件。
In this post they're using another user (www-data) in the container. After building the image they get the id of the user and replace the current file owner with this id. If you start the container as this user (www-data), the mount will copy the files with permissions and owner information, so the user can read and write to these files.
这将是一种更安全的方法,因为您确保只有docker用户才能更改数据库/文件。因为我无法为我完成此工作(似乎不适用于id = 0的root用户),但我想指出,有更好的解决方案。
It would be a more secure way because you make sure that only the docker user can change the database/files. Because I couldn't make this work for me (seems to not work for root user with id=0), but I wanted to point out, that there is a better solution.
如果仅在Docker停止运行后才需要数据,则可以查看 docker cp 。
If you only need the data in the end after the docker stopped you might have a look at docker cp.
这篇关于Docker卷-需要权限才能写入数据库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
