CNB Docker 映像的卷写入访问权限 [英] Write access on volume for CNB Docker image
问题描述
我正在开发一个 Spring Boot 应用程序,该应用程序应该迁移到 docker 容器中(用于在服务器上作为 systemd 服务运行)该应用程序在文件系统上读取和写入一个可配置的路径 - 现在假设它是 /var/mypath
I am working on a spring boot application that should be migrated into a docker container (used to run as a systemd service on a server)
The app reads and writes a configurable path on the file system - lets for now assume it is /var/mypath
我使用 springs gradle 插件中的 bootBuildImage
任务构建了一个 docker 镜像.它使用看似默认的构建器映像,即 gcr.io/paketo-buildpacks/builder
来构建应用程序映像.
I built a docker image using the bootBuildImage
task from springs gradle plugin. it used what appears to be the default builder image, namely gcr.io/paketo-buildpacks/builder
to build the application image.
因此,在 docker compose 文件中,我定义了一个堆栈,其中包含(不重要的)mysql db 和 spring boot 应用程序,如下所示:
Consequently, in a docker compose file, I defined a stack, with the (unimportant) mysql db and the spring boot app like this:
version: "3.8"
services:
backend_db:
container_name: "backend_db"
image: "mariadb:latest"
# ...
backend_app:
depends_on:
- "backend_db"
container_name: "backend_app"
image: "myImageName:latest"
restart: always
ports:
- 8080:8080
volumes:
- "app:/var/mypath"
environment:
# mysql data etc...
volumes:
db:
app:
当我使用 docker-compose up
启动它时,spring-boot 应用程序对 /var/mypath
没有写访问权限.我发现,显然 CNB 构建使 spring 应用程序以用户 cnb
运行.我想,该卷是作为 root 创建的,只有 root 对它有写访问权限.
When I start it up with docker-compose up
, the spring-boot application does not have write access on /var/mypath
.
I figured out, that apparently the CNB build makes the spring application run as user cnb
.
I suppose, the volume is created as root and only root has write access to it.
手动 chown 方法似乎不是最理想的,因为我本来希望能够在服务器上 docker-compose up
并完成,而不是手动 chown,但无论如何:我试图从容器内将音量 chown
给 cnb 用户,但没有成功:
The manual-chown approach seems suboptimal, since I would have expected to be able to just docker-compose up
on a server and be done, instead of manually chowning around but anyways:
I have tried to chown
the volume to the cnb user from within the container without success:
chown cnb/var/mypath/chown:更改/var/mypath/"的所有权:不允许操作
chown cnb /var/mypath/ chown: changing ownership of '/var/mypath/': Operation not permitted
我如何确保 Spring Boot 应用程序可以写入卷?
How can I make sure, that the spring boot application can write the volume?
推荐答案
毕竟我设法 chown/chgrp 卷 - 我的错误是它在容器内不起作用(没有 sudo) - 但它有效从外部使用 docker exec,指定 root 用户:
I managed to chown/chgrp the volume after all - my mistake was that it does not work from within the container (there is no sudo) - but it works from outside using docker exec, specifying the root user:
docker exec -u 0 -it backend_app chown cnb /var/mypath
docker exec -u 0 -it backend_app chgrp cnb /var/mypath
用户@Stuck 还通过创建另一个 docker-image 层提出了一种更精细的方法:可以`bootBuildImage` 创建可写卷?
User @Stuck also suggested a more elaborate approach by creating another docker-image layer: can `bootBuildImage` create writeable volumes?
来自 Spring 的 Andy Wilkinson 指出这是一个普遍的 Docker 问题 - 所以如果将来出现其他解决方案,我很高兴更新这个问题.
Andy Wilkinson from Spring pointed out that this is a general Docker issue - so if some other solution pops up in the future, I'm glad to update this question.
这篇关于CNB Docker 映像的卷写入访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!