访问 Docker 中的主机目录的权限被拒绝 [英] Permission denied on accessing host directory in Docker

问题描述

我试图在 Docker 中挂载一个主机目录，但随后我无法从容器内访问它，即使访问权限看起来不错.

I am trying to mount a host directory in Docker, but then I can not access it from within the container, even if the access permissions look good.

我在做

sudo docker run -i -v /data1/Downloads:/Downloads ubuntu bash

然后

ls -al

它给了我:

total 8892
drwxr-xr-x.  23 root root    4096 Jun 18 14:34 .
drwxr-xr-x.  23 root root    4096 Jun 18 14:34 ..
-rwxr-xr-x.   1 root root       0 Jun 18 14:34 .dockerenv
-rwx------.   1 root root 9014486 Jun 17 22:09 .dockerinit
drwxrwxr-x.  18 1000 1000   12288 Jun 16 11:40 Downloads
drwxr-xr-x.   2 root root    4096 Jan 29 18:10 bin
drwxr-xr-x.   2 root root    4096 Apr 19  2012 boot
drwxr-xr-x.   4 root root     340 Jun 18 14:34 dev
drwxr-xr-x.  56 root root    4096 Jun 18 14:34 etc
drwxr-xr-x.   2 root root    4096 Apr 19  2012 home

还有更多类似的行(我认为这是相关部分).

and a lot more lines like that (I think this is the relevant portion).

如果我这样做

cd /Downloads
ls

结果是

ls: cannot open directory .: Permission denied

主机是 Fedora 20，带有 Docker 1.0.0 和 go1.2.2.

The host is Fedora 20, with Docker 1.0.0 and go1.2.2.

出了什么问题?

推荐答案

参见 这篇关于 Volumes 和 SELinux 的 Project Atomic 博客文章 了解全文.

特别是:

最近这变得更容易了，因为 Docker 终于合并了一个补丁将出现在 docker-1.7(我们已经在RHEL、CentOS 和 Fedora 上的 docker-1.6).

This got easier recently since Docker finally merged a patch which will be showing up in docker-1.7 (We have been carrying the patch in docker-1.6 on RHEL, CentOS, and Fedora).

这个补丁增加了对z"的支持和Z"作为卷上的选项挂载 (-v).

This patch adds support for "z" and "Z" as options on the volume mounts (-v).

例如:

docker run -v /var/db:/var/db:z rhel7 /bin/sh

会自动执行chcon -Rt svirt_sandbox_file_t/var/db手册页中描述.

Will automatically do the chcon -Rt svirt_sandbox_file_t /var/db described in the man page.

更好的是，您可以使用 Z.

Even better, you can use Z.

docker run -v /var/db:/var/db:Z rhel7 /bin/sh

这将使用准确的 MCS 标记容器内的内容容器将运行的标签，基本上它运行 chcon -Rt svirt_sandbox_file_t -l s0:c1,c2/var/db 其中 s0:c1,c2 不同每个容器.

This will label the content inside the container with the exact MCS label that the container will run with, basically it runs chcon -Rt svirt_sandbox_file_t -l s0:c1,c2 /var/db where s0:c1,c2 differs for each container.

这篇关于访问 Docker 中的主机目录的权限被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！