尝试以非 root 用户身份从容器内部写入已安装的卷时出现问题 [英] Issue when trying to write to a mounted volume from inside a container as a non-root user

查看:57
本文介绍了尝试以非 root 用户身份从容器内部写入已安装的卷时出现问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用一个将运行 ZooKeeper 的容器,但我遇到了我安装到容器中的主机卷的权限问题.

I'm working with a container that will be running ZooKeeper but I'm running into issues with permissions on the host volumes that I mount into my container.

这是我的设置:

在主机 (Ubuntu 14.04) 上:

  • 创建了zookeeper"系统用户 (id=106) 和群组 (id=111).
  • 创建目录/var/log/zookeeper"并将其所有权设置为zookeeper(即chown zookeeper:zookeeper).这是我将安装到容器中的目录.

容器内部(Ubuntu 14.04):

  • 还创建了一个zookeeper"系统用户 (id=102) 和组 (id=105),我将其用作在 ENTRYPOINT 中执行命令的用户.
  • 创建将挂载到的同一目录/var/log/zookeeper",并将其所有权设置为 zookeeper:zookeeper(虽然我认为这并不重要).

一旦我使用/var/log/zookeeper 挂载启动了我的容器,并以 zookeeper 用户(在容器内创建)的身份在容器内打开了一个 shell,我发现我收到了权限被拒绝"" 如果我​​尝试在挂载目录/var/log/zookeeper 中创建文件,则会出错.当我执行ls -l"以查看此目录的所有权(仍在容器内)时,它看起来像这样:

Once I start up my container with the /var/log/zookeeper mount and I open up a shell inside of the container as the zookeeper user (that was created inside the container), I find that I get a "Permission Denied" error if I try to create a file in the mounted directory /var/log/zookeeper. When I do an "ls -l" to look at the ownership of this directory (still inside of the container) it looks something like this:

drwxr-xr-x 2  106  111   4096 Jun 30 17:18 zookeeper

在这种情况下,106 和 111 对应于主机的 zookeeper 用户和组 ID,我认为这就是问题所在.我尝试在容器内打开一个 shell,但这次我以 root 用户身份进入,我上面描述的场景运行得非常好,只是 root 是所创建文件的所有者(这是预期的).

The 106 and 111 in this case correspond to the zookeeper user and group ids of the host machine which I think is where the issue lies. I tried opening a shell inside of the container but this time I went in as the root user and the scenario that I described above worked perfectly fine just that root was the owner of the file that got created (which was expected).

由此我得出结论,我需要:

From this I concluded that I need to either:

(a) 作为默认 root 用户而不是我创建的 zookeeper 用户在我的容器内运行应用程序.

(a) Run the application inside of my container as the default root user instead of the zookeeper user that I create.

(b) 在我的主机和容器内创建一个 zookeeper 用户和组,其 ID 完全相同.

(b) Create a zookeeper user and group both on my host machine and inside the container whose id's are exactly the same.

这两种情况都不理想,因为对于 (a),以 root 用户身份运行应用程序可能存在潜在的安全问题(从我读过的内容来看),对于 (b),很难让 ID 匹配,因为它们可能已经被创建的其他用户使用(您无法控制).

Neither case is ideal because for (a), running the application as the root user could have potential security issues (from what I've read anyways), and for (b), it can be very difficult to get the id's to match due to the fact that they might already be taken by other users that were created (which you don't have any control over).

有没有人处理过这样的事情?我可能会忽略其他可能的解决方案吗?

Has anyone ever dealt with something like this before? Are there other possible solutions that I might be overlooking?

推荐答案

据我所知,容器内和宿主机上的用户 ID 和组 ID 应该匹配,以便宿主机授予您对共享目录.

To my knowledge, user ID and group ID inside the container and on the host machine should match, in order to let the host machine to grant you permissions to the share directory.

这篇关于尝试以非 root 用户身份从容器内部写入已安装的卷时出现问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆