如何在 Docker 容器中使用 setfacl? [英] How to use setfacl within a Docker container?

问题描述

似乎在容器内文件系统是在没有acl"的情况下安装的，因此setfacl"将不起作用.它也不会让我重新安装它，我什至无法运行 'df -h'.

It seems like within the container the filesystem is mounted without 'acl', therefore 'setfacl' won't work. And it won't let me remount it either, and I can't even run 'df -h'.

我需要 setfacl，因为我让 root 拥有我网站上的所有文件，并且我只授予网络服务器用户对一些目录(如缓存、日志等)的写入权限.

I need setfacl because I make root own all the files from my websites, and I give the webserver user write permissions to only a few directories like cache, logs, etc.

我能做什么?

推荐答案

好消息是 Docker 支持 ACL.

The good news is that Docker supports ACLs.

在早期版本中，Docker 使用了一个不支持它们的名为 AUFS 的文件系统.您可以通过使用适当的选项启动 Docker 守护程序，告诉 Docker 使用 Device Mapper (LVM) 进行存储:

In early releases Docker used a filesystem named AUFS which didn't support them. You could tell Docker to use Device Mapper (LVM) for its storage, by starting your Docker daemon with the appropriate option:

docker -d --storage-driver=devicemapper --daemon=true

来源:https://groups.google.com/forum/#!topic/docker-user/165AARba2Bk

然后你就可以在你的容器中使用 setfacl.

and then you were able to use setfacl in your containers.

任何最近发布的版本或 Docker 现在都使用 overlay2 存储驱动程序，它支持开箱即用.要检查您的存储驱动程序是什么:

Any reasonably recent release or Docker now uses the overlay2 storage driver, which supports that out of the box. To check what is your storage driver:

docker 信息 |grep 存储

df -h 由于不同且不相关的原因而不起作用:它依赖于 /etc/mtab，在您的情况下不存在.在你的容器中，从 procfs 创建一个链接，这将解决这个问题:

df -h doesn't work for a different and unrelated reason : it relies on /etc/mtab, not present in your case. In your container, create a link from procfs, that will solve this problem:

ln -s /proc/mounts /etc/mtab

这篇关于如何在 Docker 容器中使用 setfacl?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！