我需要启用Docker卷才能使用哪些权限？ [英] What permissions do I need to enable for Docker volumes to work?

问题描述

假设我有一个容纳一些数据的Docker容器。我想要这个数据持续存在 - 如果容器被停止，删除，升级等等。我仍然希望数据位于主机操作系统文件系统的可访问位置。

目前，我的解决方案是在我的主机上创建一个目录 / srv / service-name （我使用的是Ubuntu 14.10），然后使用 -v / srv / service-name：/ path / inside / container 参数。

通过反复试验我发现有时容器无法写入，因为它没有正确的权限。我发现这个问题，其中提供了仅数据的容器作为解决方案。那么我不想使用容器，因为我在做什么似乎不必要地复杂了。我宁愿只是使用 -v 加载目录。

那么，我如何设置正确的权限在我正在挂载的目录中？

解决方案

那么，我如何设置正确的权限目录我正在挂载？

Docker卷没有什么特别之处：为了使进程写入目录，所有权和权限在该目录下需要允许写入。

默认情况下，Docker容器中的进程作为 root 运行，能够写出几乎任何地方，没有像selinux这样的额外限制。

如果您在容器中有一个进程不是运行作为根，您可以确保您暴露于容器的任何卷具有适当的所有权。您有两个选择：

1. 从主机中设置源目录的权限。

   
   
   

   如果您的进程以容器内的用户 httpd 运行，则需要确定与该用户关联的数字UID，然后确定 chown 目录到适当的用户ID。例如，如果容器内的用户 httpd 是UID 48，则在主机上：

     chown 48 / srv / webserver 
     

   正如你所料，这意味着运行<$主机上的c $ c> ls -l <​​/ code>可能会返回不同的用户名，因为不能保证容器中的UID与主机上的UID匹配。




2. 在 ENTRYPOINT 脚本中设置权限

   
   
   

   如果您正在构建自己的图像，可以以 root 运行容器，然后具有一个 ENTRYPOINT 脚本，负责（a）设置所有权和权限，然后（b）切换到非特权用户运行您的 CMD 。

Let's say I have a Docker container that holds some data. I want this data to persist - if the container is stopped, removed, upgraded etc. I still want the data to be in an accessible location on the host OS filesystem.

Currently, my solution is to create a directory /srv/service-name on my host (I use Ubuntu 14.10) and then run my service with the -v /srv/service-name:/path/inside/container argument.

By trial and error I found out that sometimes the container is unable to write to this, because it doesn't have the right permissions. I found this question where data-only containers are given as a solution. Well, I don't want to use containers because it seems needlessly complicated for what I am doing. I'd rather just keep mounting the directories with -v.

So, how can I set the right permissions on the directory I am mounting?

解决方案

So, how can I set the right permissions on the directory I am mounting?

There's nothing special about Docker volumes: in order for a process to write to a directory, the ownership and permissions on that directory need to allow writing.

By default, processes in a Docker container are running as root and are able to write pretty much anywhere, absent additional restrictions imposed by something like selinux.

If you have a process in a container that is not running as root, it is up to you to ensure that any volumes you expose to the container have appropriate ownership. You have basically two choices:

1. Set the permissions on the source directory from the host.

   If your process is running as user httpd inside a container, you will need to determine the numeric UID associated with that user and then chown the directory to the appropriate user ID. E.g., if user httpd inside the container is UID 48, then on the host:

   chown 48 /srv/webserver
   

   As you probably expect, this means that running ls -l on the host may return a different username, because there is no guarantee that UIDs in the container match UIDs on the host.

2. Set permissions in an ENTRYPOINT script

   If you are building your own images, you can run containers as root, and then have an ENTRYPOINT script that is responsible for (a) setting ownership and permissions and then (b) switching to a non-privileged user to run your CMD.

这篇关于我需要启用Docker卷才能使用哪些权限？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！