在不以root身份运行的情况下,从容器访问命名卷? [英] Access named volume from container when not running as root?
问题描述
版本:'2'
卷:
[...]
flower_data:{}
[...]
花:
图像:[基本代码图像]
端口:
- 5555:5555
卷:
- flower_data:/ flower
命令:
芹菜-A proj flower --port = 5555 --persistent = True --db = / flower / flower
然而,我得到:
code> IOError:[Errno 13]权限被拒绝:'flower.dat'
我跑以下阐明为什么:
bash -cls -al / flower; whoami;芹菜-A proj flower - 持续= True --db = / flower / flower
这就清楚了为什么:
flower_1 | drwxr-xr-x 3根根4096 3月10日23:05。
flower_1 | drwxr-xr-x 7 root root 4096 Mar 10 23:05 ..
即目录是安装为 root
,但在 [基本代码图像]
中,我确保用户正在运行不根,根据Celery的码头不能以root身份运行:
FROM python:2.7
...
RUN groupadd用户&& useradd --create-home --home-dir / usrc / src / app -g user user
USER用户
Celery Flower继续以root用户身份继续运行,但能够使用此命名卷的最佳方式是什么?
以下工作:在Docker文件中,安装 sudo
并添加用户
到 sudo
组,需要密码:
运行apt-get update
运行apt-get -y安装sudo
RUN echouser:SECRET| chpasswd&& adduser user sudo
然后,在Docker Compose配置中,命令将是:
bash -cecho SECRET | sudo -S chown user:user / flower;芹菜-A proj flower --power = 5555 - -db = / flower / flower
我不知道这是否是最好的方法, ,或这是什么安全隐患。
I'm running Celery under Docker Compose. I'd like to make Celery's Flower persistent. So I do:
version: '2'
volumes:
[...]
flower_data: {}
[...]
flower:
image: [base code image]
ports:
- "5555:5555"
volumes:
- flower_data:/flower
command:
celery -A proj flower --port=5555 --persistent=True --db=/flower/flower
However, then I get:
IOError: [Errno 13] Permission denied: 'flower.dat'
I ran the following to elucidate why:
bash -c "ls -al /flower; whoami; celery -A proj flower --persistent=True --db=/flower/flower"
This made it clear why:
flower_1 | drwxr-xr-x 3 root root 4096 Mar 10 23:05 .
flower_1 | drwxr-xr-x 7 root root 4096 Mar 10 23:05 ..
Namely, the directory is mounted as root
, yet in [base code image]
I ensure the user running is not root, as per Celery's docks to never run as root:
FROM python:2.7
...
RUN groupadd user && useradd --create-home --home-dir /usrc/src/app -g user user
USER user
What would be the best way for Celery Flower to continue to run not as root, yet be able to use this named volume?
The following works: In the Dockerfile, install sudo
and add user
to the sudo
group, requiring a password:
RUN apt-get update
RUN apt-get -y install sudo
RUN echo "user:SECRET" | chpasswd && adduser user sudo
Then, in the Docker Compose config, the command will be:
bash -c "echo SECRET | sudo -S chown user:user /flower; celery -A proj flower --power=5555 --persistent --db=/flower/flower"
I'm not sure if this is the best way, though, or what the security implications of this are.
这篇关于在不以root身份运行的情况下,从容器访问命名卷?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!