Docker:具有--volume绑定挂载的文件权限 [英] Docker: file permissions with --volume bind mount

问题描述

我正在遵循以下准则: https://denibertovic.com/posts/handling-permissions-with-docker-volumes/在我的容器中设置--volume绑定挂载，并在来宾容器中创建一个与主机用户具有相同UID的用户-理论是，我的容器用户应该可以访问该挂载.它对我不起作用，我正在寻找一些下一步可以尝试的指针.

I'm following the guidelines from: https://denibertovic.com/posts/handling-permissions-with-docker-volumes/ to setup a --volume bind mount in my container and creating a user in the guest container with the same UID as my host user - the theory being that my container user should be able to access the mount. It's not working for me and I'm looking for some pointers to try next.

更多背景信息:

我的Dockerfile从一个高山基地开始，并添加了python dev软件包.根据denibertovic的指导原则，它会跨一个entrypoint.sh脚本进行复制.然后，它跳转到entrpoint.sh脚本.

My Dockerfile starts from an alpine base and adds python dev packages. It copies across an entrypoint.sh script per guidelines from denibertovic. It then jumps to the entrpoint.sh script.

FROM alpine

RUN apk update
RUN apk add bash
RUN apk add python3
RUN apk add python3-dev
RUN apk add su-exec

COPY entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x  /usr/local/bin/entrypoint.sh

ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

entrpoint.sh脚本将用户添加到容器中，并将UID作为环境变量传入.

The entrpoint.sh script adds a user to the container with the UID passed in as an environment variable.

#!/bin/bash

# Add local user
# Either use the LOCAL_USER_ID if passed in at runtime or
# fallback

USER_ID=${LOCAL_USER_ID:-9001}

echo "Starting with UID : $USER_ID"
adduser -s /bin/bash -u $USER_ID -H -D user
export HOME=/home/user

su-exec user "$@"

容器没有问题.然后，使用以下命令行运行它:

The container builds no problem. I then run it with the following command line:

sudo docker run -it -e LOCAL_USER_ID=`id -u` -v `realpath ../..`:/ws django-runtime /bin/bash

您会看到我传递了要映射到容器用户UID的主机UID，并要求从本地工作目录到容器中的/ws安装点进行卷绑定安装.

You'll see that I'm passing in my host UID to be mapped to the container user's UID and I'm asking for a volume bind mount from my local working directory to the /ws mountpoint in the container.

从容器内的bash外壳中，我可以看到/ws由与我自己的'id'相匹配的'用户'UID所拥有.但是，当我列出/ws的内容时，出现如下所示的拒绝权限"错误:

From the bash shell inside the container I can see that /ws is owned by the 'user' UID matching my own 'id'. However, when I go to list the contents of /ws I get a Permission Denied error as follows:

[dleclair@localhost runtime]$ sudo docker run -it -e LOCAL_USER_ID=`id -u` -v `realpath ../..`:/ws django-runtime /bin/bash
[sudo] password for dleclair:
Starting with UID : 1000
bash-5.0$ id
uid=1000(user) gid=1000(user) groups=1000(user)
bash-5.0$ ls -la .
total 0
drwxr-xr-x    1 root     root            27 Feb  8 09:15 .
drwxr-xr-x    1 root     root            27 Feb  8 09:15 ..
-rwxr-xr-x    1 root     root             0 Feb  8 09:15 .dockerenv
drwxr-xr-x    1 root     root            18 Feb  8 07:44 bin
drwxr-xr-x    5 root     root           360 Feb  8 09:15 dev
drwxr-xr-x    1 root     root            91 Feb  8 09:15 etc
drwxr-xr-x    2 root     root             6 Jan 16 21:52 home
drwxr-xr-x    1 root     root            17 Jan 16 21:52 lib
drwxr-xr-x    5 root     root            44 Jan 16 21:52 media
drwxr-xr-x    2 root     root             6 Jan 16 21:52 mnt
drwxr-xr-x    2 root     root             6 Jan 16 21:52 opt
dr-xr-xr-x  119 root     root             0 Feb  8 09:15 proc
drwx------    2 root     root             6 Jan 16 21:52 root
drwxr-xr-x    1 root     root            21 Feb  8 07:44 run
drwxr-xr-x    1 root     root            21 Feb  8 08:22 sbin
drwxr-xr-x    2 root     root             6 Jan 16 21:52 srv
dr-xr-xr-x   13 root     root             0 Feb  8 01:58 sys
drwxrwxrwt    2 root     root             6 Jan 16 21:52 tmp
drwxr-xr-x    1 root     root            19 Feb  8 07:44 usr
drwxr-xr-x    1 root     root            19 Jan 16 21:52 var
drwxrwxr-x    5 user     user           111 Feb  8 02:15 ws
bash-5.0$
bash-5.0$
bash-5.0$ cd /ws
bash-5.0$ ls -la
ls: can't open '.': Permission denied
total 0
bash-5.0$

赞赏任何人都可以提供的指针.谢谢！

Appreciate any pointers anyone can offer. Thanks!

推荐答案

更多搜索后，我在这里找到了解决问题的答案: http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/.

After more searching I found the answer to my problem here: Permission denied on accessing host directory in Docker and here: http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/.

简而言之，问题在于卷挂载的SELinux默认标签阻止了对挂载文件的访问.解决方案是在-v命令行参数中添加':Z'预告片，以强制docker对已挂载的文件设置适当的标志以允许访问.

In short, the problem was with the SELinux default labels for the volume mount blocking access to the mounted files. The solution was to add a ':Z' trailer to the -v command line argument to force docker to set the appropriate flags against the mounted files to allow access.

命令行因此变成:

sudo docker run -it -e LOCAL_USER_ID=`id -u` -v `realpath ../..`:/ws:Z django-runtime /bin/bash

像护身符一样工作.

这篇关于Docker:具有--volume绑定挂载的文件权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！