CNB Docker 映像的卷写入访问权限 [英] Write access on volume for CNB Docker image

问题描述

我正在开发一个 Spring Boot 应用程序，该应用程序应该迁移到 docker 容器中(用于在服务器上作为 systemd 服务运行)该应用程序在文件系统上读取和写入一个可配置的路径 - 现在假设它是 /var/mypath

I am working on a spring boot application that should be migrated into a docker container (used to run as a systemd service on a server) The app reads and writes a configurable path on the file system - lets for now assume it is /var/mypath

我使用 springs gradle 插件中的 bootBuildImage 任务构建了一个 docker 镜像.它使用看似默认的构建器映像，即 gcr.io/paketo-buildpacks/builder 来构建应用程序映像.

I built a docker image using the bootBuildImage task from springs gradle plugin. it used what appears to be the default builder image, namely gcr.io/paketo-buildpacks/builder to build the application image.

因此，在 docker compose 文件中，我定义了一个堆栈，其中包含(不重要的)mysql db 和 spring boot 应用程序，如下所示:

Consequently, in a docker compose file, I defined a stack, with the (unimportant) mysql db and the spring boot app like this:

version: "3.8"

services:
  backend_db:
    container_name: "backend_db"
    image: "mariadb:latest"
    # ...

  backend_app:
    depends_on:
      - "backend_db"
    container_name: "backend_app"
    image: "myImageName:latest"
    restart: always
    ports:
      - 8080:8080
    volumes:
      - "app:/var/mypath"
    environment:
      # mysql data etc...

volumes:
  db:
  app:

当我使用 docker-compose up 启动它时，spring-boot 应用程序对 /var/mypath 没有写访问权限.我发现，显然 CNB 构建使 spring 应用程序以用户 cnb 运行.我想，该卷是作为 root 创建的，只有 root 对它有写访问权限.

When I start it up with docker-compose up, the spring-boot application does not have write access on /var/mypath. I figured out, that apparently the CNB build makes the spring application run as user cnb. I suppose, the volume is created as root and only root has write access to it.

手动 chown 方法似乎不是最理想的，因为我本来希望能够在服务器上 docker-compose up 并完成，而不是手动 chown，但无论如何:我试图从容器内将音量 chown 给 cnb 用户，但没有成功:

The manual-chown approach seems suboptimal, since I would have expected to be able to just docker-compose up on a server and be done, instead of manually chowning around but anyways: I have tried to chown the volume to the cnb user from within the container without success:

chown cnb/var/mypath/chown:更改/var/mypath/"的所有权:不允许操作

chown cnb /var/mypath/ chown: changing ownership of '/var/mypath/': Operation not permitted

我如何确保 Spring Boot 应用程序可以写入卷?

How can I make sure, that the spring boot application can write the volume?

推荐答案

毕竟我设法 chown/chgrp 卷 - 我的错误是它在容器内不起作用(没有 sudo) - 但它有效从外部使用 docker exec，指定 root 用户:

I managed to chown/chgrp the volume after all - my mistake was that it does not work from within the container (there is no sudo) - but it works from outside using docker exec, specifying the root user:

docker exec -u 0 -it backend_app chown cnb /var/mypath
docker exec -u 0 -it backend_app chgrp cnb /var/mypath

用户@Stuck 还通过创建另一个 docker-image 层提出了一种更精细的方法:可以`bootBuildImage` 创建可写卷?

User @Stuck also suggested a more elaborate approach by creating another docker-image layer: can `bootBuildImage` create writeable volumes?

来自 Spring 的 Andy Wilkinson 指出这是一个普遍的 Docker 问题 - 所以如果将来出现其他解决方案，我很高兴更新这个问题.

Andy Wilkinson from Spring pointed out that this is a general Docker issue - so if some other solution pops up in the future, I'm glad to update this question.

这篇关于CNB Docker 映像的卷写入访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！