Docker数据卷容器。我似乎无法备份 [英] Docker data volume container. I can't seem to get to backup
问题描述
阅读这些链接:
我的理解是我可以使用数据卷容器并归档其备份。
但是阅读第一个链接我似乎无法让它工作。
docker create -v / sonatype -work --name sonatype-work sonatype / nexus / bin / true
我启动sonatype / nexus映像在容器中使用:
- volume-from sonatype-nexus
pre>
运行nexus后,我检查数据量,我可以看到内部创建,并停止并删除nexus并重新启动,保存所有更改。 / p>
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f84abb054d2e sonatype / nexus/ bin / sh -c'java - 22秒以前上21秒0.0.0.0:8081->8081/tcp nexus
1aea2674e482 sonatype / nexus/ bin / true25秒前创建sonatype-work
我w蚂蚁现在支持sonatype工作,但没有运气。
[root @ ansible22〜]#pwd
/ root
[root @ ansible22〜]#docker run --volumes-from sonatype-work -v $(pwd):/ backup ubuntu tar cvf /backup/sonatype-work-backup.tar / sonatype-work
tar:/backup/sonatype-work-backup.tar:无法打开:Permission denied
tar:错误无法恢复:现在退出
我尝试以-u root身份运行,我也尝试过:
/root/sonatype-work-backup.tar
当这样做,我可以看到它的东西,但是我看不到tar文件。根据例子和我的理解,我不认为这是正确的。
任何人都可以看到我在做错什么?
编辑:Linux版本信息
Fedora版本22(二十二)
NAME = Fedora
VERSION =22(二十二)
ID = fedora
VERSION_ID = 22
PRETTY_NAME =Fedora 22(二十二)
ANSI_COLOR =0; 34
CPE_NAME =cpe:/ o:fedoraproject:fedora:22
HOME_URL =https://fedoraproject.org/
BUG_REPORT_URL =https://bugzilla.redhat。 com /
REDHAT_BUGZILLA_PRODUCT =Fedora
REDHAT_BUGZILLA_PRODUCT_VERSION = 22
REDHAT_SUPPORT_PRODUCT =Fedora
REDHAT_SUPPORT_PRODUCT_VERSION = 22
PRIVACY_POLICY_URL = https://fedoraproject.org/wiki / Legal:PrivacyPolicy
VARIANT =Server Edition
VARIANT_ID =服务器
Fedora版本22(二十二)
Fedora版本22(二十二)
解决方案这个原因与selinux标签有关。这里有几个很好的Project Atomic页面:
限制容器进程的默认类型为svirt_lxc_net_t。允许这种类型读取并执行/ usr下的所有文件类型,大多数类型在/ etc下执行。 svirt_lxc_net_t被允许使用网络,但不允许读取/ var,/ home,/ root,/ mnt ...下的内容,只允许svirt_lxc_net_t只写入标有 svirt_sandbox_file_t 和docker_var_lib_t的文件。容器中的所有文件默认标记为svirt_sandbox_file_t。
然后在使用与Docker的卷可能会导致SELinux的问题:
这将使容器运行的确切的MCS标签标记容器内的内容,基本上它运行
chcon - Rt svirt_sandbox_file_t -l s0:c1,c2 / var / db
其中s0:c1,c2对于每个容器是不同的。
(在这种情况下不是
/ var / db
但/ root
)
如果您使用-v / SOURCE:/ DESTINATION进行卷映像:z docker将自动将内容重新标记为s0。如果您使用Z进行卷装,则该标签将特定于容器,并且无法在容器之间共享。
因此,在这种情况下,
z
或Z
是合适的,但通常可能更喜欢Z
为隔离。Reading these links:
- https://docs.docker.com/userguide/dockervolumes/#backup-restore-or-migrate-data-volumes
- Backing up data volume containers off machine
My understanding is I can take a data volume container and archive its backup. However reading the first link I can't seem to get it to work.
docker create -v /sonatype-work --name sonatype-work sonatype/nexus /bin/true
I launch sonatype/nexus image in a container using:
--volumes-from sonatype-nexus
All good, after running nexus, i inspect the data volume, i can see the innards created, and stop and remove nexus and start again, all changes saved.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f84abb054d2e sonatype/nexus "/bin/sh -c 'java -" 22 seconds ago Up 21 seconds 0.0.0.0:8081->8081/tcp nexus 1aea2674e482 sonatype/nexus "/bin/true" 25 seconds ago Created sonatype-work
I want to now back up sonatype-work, but with no luck.
[root@ansible22 ~]# pwd /root [root@ansible22 ~]# docker run --volumes-from sonatype-work -v $(pwd):/backup ubuntu tar cvf /backup/sonatype-work-backup.tar /sonatype-work tar: /backup/sonatype-work-backup.tar: Cannot open: Permission denied tar: Error is not recoverable: exiting now
I have tried running as -u root, I also tried with:
/root/sonatype-work-backup.tar
When doing so, i can see it taring stuff, but I don't see the tar file. Based on the example and my understanding I don't think thats right anyway.
Can anyone see what I'm doing wrong?
EDIT: Linux Version Info
Fedora release 22 (Twenty Two) NAME=Fedora VERSION="22 (Twenty Two)" ID=fedora VERSION_ID=22 PRETTY_NAME="Fedora 22 (Twenty Two)" ANSI_COLOR="0;34" CPE_NAME="cpe:/o:fedoraproject:fedora:22" HOME_URL="https://fedoraproject.org/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=22 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=22 PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy VARIANT="Server Edition" VARIANT_ID=server Fedora release 22 (Twenty Two) Fedora release 22 (Twenty Two)
解决方案The reason for this is related to selinux labelling. There are a couple of good Project Atomic pages on this:
The default type for a confined container process is svirt_lxc_net_t. This type is permitted to read and execute all files types under /usr and most types under /etc. svirt_lxc_net_t is permitted to use the network but is not permitted to read content under /var, /home, /root, /mnt … svirt_lxc_net_t is permitted to write only to files labeled svirt_sandbox_file_t and docker_var_lib_t. All files in a container are labeled by default as svirt_sandbox_file_t.
Then in Using Volumes with Docker can Cause Problems with SELinux:
This will label the content inside the container with the exact MCS label that the container will run with, basically it runs
chcon -Rt svirt_sandbox_file_t -l s0:c1,c2 /var/db
where s0:c1,c2 differs for each container.(In this case not
/var/db
but/root
)If you volume mount a image with -v /SOURCE:/DESTINATION:z docker will automatically relabel the content for you to s0. If you volume mount with a Z, then the label will be specific to the container, and not be able to be shared between containers.
So either
z
orZ
are suitable in this case but one might usually preferZ
for the isolation.这篇关于Docker数据卷容器。我似乎无法备份的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!