Docker数据卷容器。我似乎无法备份 [英] Docker data volume container. I can't seem to get to backup

问题描述

阅读这些链接：

1. https://docs.docker.com/userguide/dockervolumes/#backup-restore-or-migrate-data-volumes


2. 从机器备份数据卷容器

我的理解是我可以使用数据卷容器并归档其备份。
但是阅读第一个链接我似乎无法让它工作。

  docker create -v / sonatype -work --name sonatype-work sonatype / nexus / bin / true 
  

我启动sonatype / nexus映像在容器中使用：

   -  volume-from sonatype-nexus 
  pre> 
 
 
运行nexus后，我检查数据量，我可以看到内部创建，并停止并删除nexus并重新启动，保存所有更改。 / p> 
 
 
  CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 
 f84abb054d2e sonatype / nexus/ bin / sh -c'java  -  22秒以前上21秒0.0.0.0:8081->8081/tcp nexus 
 1aea2674e482 sonatype / nexus/ bin / true25秒前创建sonatype-work 
  
我w蚂蚁现在支持sonatype工作，但没有运气。
  [root @ ansible22〜]＃pwd 
 / root 
 [root @ ansible22〜]＃docker run --volumes-from sonatype-work -v $（pwd）：/ backup ubuntu tar cvf /backup/sonatype-work-backup.tar / sonatype-work 
 tar：/backup/sonatype-work-backup.tar：无法打开：Permission denied 
 tar：错误无法恢复：现在退出
  
我尝试以-u root身份运行，我也尝试过：
  /root/sonatype-work-backup.tar 
  
当这样做，我可以看到它的东西，但是我看不到tar文件。根据例子和我的理解，我不认为这是正确的。
 
 
 
任何人都可以看到我在做错什么？
 
 
 
编辑：Linux版本信息
  Fedora版本22（二十二）
 NAME = Fedora 
 VERSION =22（二十二）
 ID = fedora 
 VERSION_ID = 22 
 PRETTY_NAME =Fedora 22（二十二）
 ANSI_COLOR =0; 34 
 CPE_NAME =cpe：/ o：fedoraproject：fedora：22
 HOME_URL =https://fedoraproject.org/
 BUG_REPORT_URL =https：//bugzilla.redhat。 com /
 REDHAT_BUGZILLA_PRODUCT =Fedora
 REDHAT_BUGZILLA_PRODUCT_VERSION = 22 
 REDHAT_SUPPORT_PRODUCT =Fedora
 REDHAT_SUPPORT_PRODUCT_VERSION = 22 
 PRIVACY_POLICY_URL = https：//fedoraproject.org/wiki / Legal：PrivacyPolicy 
 VARIANT =Server Edition
 VARIANT_ID =服务器
 Fedora版本22（二十二）
 Fedora版本22（二十二）
  
 
 
解决方案
这个原因与selinux标签有关。这里有几个很好的Project Atomic页面：
 
 
 
  Docker和Linux  
 
 
限制容器进程的默认类型为svirt_lxc_net_t。允许这种类型读取并执行/ usr下的所有文件类型，大多数类型在/ etc下执行。 svirt_lxc_net_t被允许使用网络，但不允许读取/ var，/ home，/ root，/ mnt ...下的内容，只允许svirt_lxc_net_t只写入标有 svirt_sandbox_file_t 和docker_var_lib_t的文件。容器中的所有文件默认标记为svirt_sandbox_file_t。
 
 
然后在使用与Docker的卷可能会导致SELinux的问题：
 
 
这将使容器运行的确切的MCS标签标记容器内的内容，基本上它运行 chcon  - Rt svirt_sandbox_file_t -l s0：c1，c2 / var / db 其中s0：c1，c2对于每个容器是不同的。
 
 
（在这种情况下不是 / var / db 但 / root ）
 
 
如果您使用-v / SOURCE：/ DESTINATION进行卷映像：z docker将自动将内容重新标记为s0。如果您使用Z进行卷装，则该标签将特定于容器，并且无法在容器之间共享。
 
 
因此，在这种情况下， z 或 Z 是合适的，但通常可能更喜欢 Z 为隔离。
 
Reading these links: 

https://docs.docker.com/userguide/dockervolumes/#backup-restore-or-migrate-data-volumes
Backing up data volume containers off machine
My understanding is I can take a data volume container and archive its backup.
However reading the first link I can't seem to get it to work.
docker create -v /sonatype-work --name sonatype-work sonatype/nexus /bin/true
I launch sonatype/nexus image in a container using:  
--volumes-from sonatype-nexus
All good, after running nexus, i inspect the data volume, i can see the innards created, and stop and remove nexus and start again, all changes saved.
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
f84abb054d2e        sonatype/nexus      "/bin/sh -c 'java   -"   22 seconds ago      Up 21 seconds       0.0.0.0:8081->8081/tcp   nexus
1aea2674e482        sonatype/nexus      "/bin/true"              25 seconds ago      Created                                      sonatype-work
I want to now back up sonatype-work, but with no luck.
[root@ansible22 ~]# pwd
/root
[root@ansible22 ~]# docker run --volumes-from sonatype-work -v $(pwd):/backup ubuntu tar cvf /backup/sonatype-work-backup.tar /sonatype-work
tar: /backup/sonatype-work-backup.tar: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
I have tried running as -u root, I also tried with:
/root/sonatype-work-backup.tar
When doing so, i can see it taring stuff, but I don't see the tar file.  Based on the example and my understanding I don't think thats right anyway.

Can anyone see what I'm doing wrong?

EDIT: Linux Version Info
Fedora release 22 (Twenty Two)
NAME=Fedora
VERSION="22 (Twenty Two)"
ID=fedora
VERSION_ID=22
PRETTY_NAME="Fedora 22 (Twenty Two)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:22"
HOME_URL="https://fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=22
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=22
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
VARIANT="Server Edition"
VARIANT_ID=server
Fedora release 22 (Twenty Two)
Fedora release 22 (Twenty Two)

解决方案
The reason for this is related to selinux labelling. There are a couple of good Project Atomic pages on this: 

Docker and Linux

  
The default type for a confined container process is svirt_lxc_net_t. This type is permitted to read and execute all files types under /usr and most types under /etc. svirt_lxc_net_t is permitted to use the network but is not permitted to read content under /var, /home, /root, /mnt … svirt_lxc_net_t is permitted to write only to files labeled svirt_sandbox_file_t and docker_var_lib_t. All files in a container are labeled by default as svirt_sandbox_file_t.
Then in Using Volumes with Docker can Cause Problems with SELinux: 

  
This will label the content inside the container with the exact MCS label that the container will run with, basically it runs chcon -Rt svirt_sandbox_file_t -l s0:c1,c2 /var/db where s0:c1,c2 differs for each container.
(In this case not /var/db but /root)

  
If you volume mount a image with -v /SOURCE:/DESTINATION:z docker will automatically relabel the content for you to s0. If you volume mount with a Z, then the label will be specific to the container, and not be able to be shared between containers.
So either z or Z are suitable in this case but one might usually prefer Z for the isolation.

                        
这篇关于Docker数据卷容器。我似乎无法备份的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！