为什么我在Docker容器内具有读取权限的文件上被拒绝了权限？ [英] why am I getting permission denied on file with read permissions inside Docker container?

问题描述

我有一个docker容器，该容器在用户帐户 go下运行GOCD服务器（java应用程序）。

I have a docker container which runs GOCD server (java app) under user account 'go' inside the container.

此容器将/ etc / hosts挂载为644 （对所有用户可读），但是'go'帐户似乎无法读取此文件。

this container mounts /etc/hosts as 644 (readable for all users) but 'go' account doesn't seem to be able to read this file.

这是证明：

[~] # docker -v
Docker version 1.10.2, build 0762ca4

# first enter the container as root and read the contents of 
# /etc/hosts
~] # docker exec  -it 0dac9bf0eab5 bash
  root@gocd:/# ls -la /etc/hosts
  -rw-r--r--+ 1 root root 164 Jun  2 22:03 /etc/hosts

    #no problem - file is readable
   root@gocd:/# cat /etc/hosts
   127.0.0.1    localhost
   ::1  localhost ip6-localhost ip6-loopback
   10.0.3.2 gocd
   root@gocd:/#

  # now change user to 'go'
   root@gocd:/# su - go -c bash
   go@gocd:/$ id
   uid=999(go) gid=999(go) groups=999(go)

   # check permissions - still 644
   go@gocd:/$ ls -la /etc/hosts
    -rw-r--r--+ 1 root root 164 Jun  2 22:03 /etc/hosts

   # but trying to read the file - causes error:
     go@gocd:/$ cat /etc/hosts
     cat: /etc/hosts: Permission denied

为什么会这样？

推荐答案

该问题与ACL权限有关，该权限将对/ etc / hosts和/etc/resolv.conf的READ访问限制为仅对根用户。

the issue is related to ACL permissions which restrict the READ access to /etc/hosts and /etc/resolv.conf only to the root.

在容器内以任何其他帐户运行的应用程序无法读取这些文件，这会导致网络堆栈问题。例如，需要将主机解析为ip的Java应用程序将获得UnknownHost异常。

in result, the application which is running under any other account inside the container, can't read these files and this causes issues with network stack. E.g java application which needs to resolve host to ip would get UnknownHost Exception.

如果使用ContainerStation创建容器，则QNAP系统中会发生此问题。在ContainerStation中显然没有设置可以更改此行为，但是可以使用以下命令来解决此问题，该命令已添加到容器中的启动脚本中：

The issue happens in QNAP system if the container is created with ContainerStation. There are apparently no settings in ContainerStation to change this behaviour but it is possible to fix with the following commands added to the startup script in the container:

# modify ACL so go user would have read access
# to /etc/hosts and /etc/resolv.conf
# this is to avoid HostUnknown exception which happends
# when the gocd container is used on QNAP with ContainerStation
setfacl -m user:${USER_ID}:r /etc/resolv.conf
setfacl -m user:${USER_ID}:r /etc/hosts

对于想要运行GOCD服务器的QNAP用户，我已经在docker hub上创建了一个docker容器此修复程序：

For users of QNAP who want to run GOCD server I have created a docker container on docker hub which already includes this fix:

https://hub.docker.com/r/rshestakov/docker-gocd-server/

这篇关于为什么我在Docker容器内具有读取权限的文件上被拒绝了权限？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！