我需要启用Docker卷才能使用哪些权限? [英] What permissions do I need to enable for Docker volumes to work?
问题描述
目前,我的解决方案是在我的主机上创建一个目录 / srv / service-name
(我使用的是Ubuntu 14.10),然后使用 -v / srv / service-name:/ path / inside / container
参数。
通过反复试验我发现有时容器无法写入,因为它没有正确的权限。我发现这个问题,其中提供了仅数据的容器作为解决方案。那么我不想使用容器,因为我在做什么似乎不必要地复杂了。我宁愿只是使用 -v
加载目录。
那么,我如何设置正确的权限在我正在挂载的目录中?
那么,我如何设置正确的权限目录我正在挂载?
Docker卷没有什么特别之处:为了使进程写入目录,所有权和权限在该目录下需要允许写入。
默认情况下,Docker容器中的进程作为 root
运行,能够写出几乎任何地方,没有像selinux这样的额外限制。
如果您在容器中有一个进程不是运行作为根,您可以确保您暴露于容器的任何卷具有适当的所有权。您有两个选择:
-
从主机中设置源目录的权限。
如果您的进程以容器内的用户
httpd
运行,则需要确定与该用户关联的数字UID,然后确定chown
目录到适当的用户ID。例如,如果容器内的用户httpd
是UID 48,则在主机上:chown 48 / srv / webserver
正如你所料,这意味着运行<$主机上的c $ c> ls -l </ code>可能会返回不同的用户名,因为不能保证容器中的UID与主机上的UID匹配。
-
在
ENTRYPOINT
脚本中设置权限
如果您正在构建自己的图像,可以以
root
运行容器,然后具有一个ENTRYPOINT
脚本,负责(a)设置所有权和权限,然后(b)切换到非特权用户运行您的CMD
。
Let's say I have a Docker container that holds some data. I want this data to persist - if the container is stopped, removed, upgraded etc. I still want the data to be in an accessible location on the host OS filesystem.
Currently, my solution is to create a directory /srv/service-name
on my host (I use Ubuntu 14.10) and then run my service with the -v /srv/service-name:/path/inside/container
argument.
By trial and error I found out that sometimes the container is unable to write to this, because it doesn't have the right permissions. I found this question where data-only containers are given as a solution. Well, I don't want to use containers because it seems needlessly complicated for what I am doing. I'd rather just keep mounting the directories with -v
.
So, how can I set the right permissions on the directory I am mounting?
So, how can I set the right permissions on the directory I am mounting?
There's nothing special about Docker volumes: in order for a process to write to a directory, the ownership and permissions on that directory need to allow writing.
By default, processes in a Docker container are running as root
and are able to write pretty much anywhere, absent additional restrictions imposed by something like selinux.
If you have a process in a container that is not running as root, it is up to you to ensure that any volumes you expose to the container have appropriate ownership. You have basically two choices:
Set the permissions on the source directory from the host.
If your process is running as user
httpd
inside a container, you will need to determine the numeric UID associated with that user and thenchown
the directory to the appropriate user ID. E.g., if userhttpd
inside the container is UID 48, then on the host:chown 48 /srv/webserver
As you probably expect, this means that running
ls -l
on the host may return a different username, because there is no guarantee that UIDs in the container match UIDs on the host.Set permissions in an
ENTRYPOINT
scriptIf you are building your own images, you can run containers as
root
, and then have anENTRYPOINT
script that is responsible for (a) setting ownership and permissions and then (b) switching to a non-privileged user to run yourCMD
.
这篇关于我需要启用Docker卷才能使用哪些权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!