如何影响Docker文件中RUN命令的顺序? [英] How can one influence the order of RUN commands in a Dockerfile?
问题描述
blog 的用户来管理网站部署。我使用Docker Hub wordpress 容器作为基础。 root用户在 / var / www / html 下创建文件夹,并给出博客用户权限下写入。 p> 在 USER blog 之后的下一组RUN命令中,这些命令不承认以前的状态,其中 blog 用户被授权写入 / var / www / html 。这个用户需要在那里克隆一个git repo,但是我收到错误 fatal:无法创建'/ var / www / html / wp-content / uploads'的主要目录:Permission denied 由于新用户无法写入,尽管以前为此用户设置了权限。
以下是我用于创建 blog 用户,将文件复制到他们的主目录,然后用这个用户克隆一个repo:
ENV WORDPRESS_DB_USER = wp_blog \
WORDPRESS_DB_NAME = wp_blog \
WORDPRESS_DIR = / var / www / html \
TERM = xterm
#设置WordPress网站用户
#初步命令
RUN useradd --create-home --shell / bin / false --groups www-data blog
COPY id_rsa * known_hosts /home/blog/.ssh/
##第一组命令
RUN mkdir --parents$ WORDPRESS_DIR/ wp-content / uploads \
&& chown --recursive blog:blog$ WORDPRESS_DIR\
&&& chown --recursive blog:blog / home / blog
USER blog
##第二组命令
RUN chmod u = rw,g =,o = / home / blog /.ssh/id_rsa \
&&& chmod u = rw,g = r,o = r /home/blog/.ssh/id_rsa.pub \
&& chmod u = rw,g = r,o = r /home/blog/.ssh/known_hosts \
&& eval $(ssh-agent -s)\
&&& ssh-add \
&&&导出PATH = $ PATH:/ usr / sbin \
#使用WordPress用户下载内容repo和钩子
#以下命令导致权限错误:
&安培;&安培; git clone git@gitlab.com:jb-merideoux / jbm-uploads.git$ WORDPRESS_DIR/ wp-content / uploads \
&& mkdir --parents / home / blog / git / wpgithooks \
&& cd / home / blog / git / wpgithooks \
&& git clone git@github.com:enderandpeter / wpgithooks.git / home / blog / git / wpgithooks \
&& git checkout --git-dir = / home / blog / git / wpgithooks / .git --track origin / wpaddons \
&& chmod u + x /home/blog/git/wpgithooks/*.sh \
&&& echo在/home/blog/git/wpgithooks/setup.sh运行脚本以开始
blog 用户可以设置复制的SSH密钥对的权限,但如果 chown --recursive blog:blog / home / blog 命令不存在。我会认为以前的 chown --recursive博客:博客$ WORDPRESS_DIR命令会对博客用户可以在 blog 更改的同一组命令中写入 / var / www / html 在根用户之后, root 复制到其家中的文件的权限确保家庭/博客由博客拥有。在某些情况下, / home / blog 的权限在第二组RUN命令中生效,但不是 / var / www / html的权限。
仔细检查后,会出现 mkdir --parents$ WORDPRESS_DIR/ wp-content / uploads 指令没有运行,因为当我在 git clone 命令之前,有一些东西来创建一个文件,如 touch $ WORDPRESS_DIR/ wp-content / uploads / afile ,错误是 touch:无法触摸'/ var / www / html / wp-content / uploads / afile':否这样的文件或目录。
当尝试在 / var / www / html / 中创建 afile code>(它已经存在,因为它是由基本wordpress容器创建的),我得到错误触摸:不能触摸'/ var / www / html / afile':权限被拒绝,表示 chown --recursive blog:blog$ WORDPRESS_DIR命令未被确认。在第一组RUN语句中的三个命令中,看起来只有第二组RUN语句确认的命令是 chown --recursive blog:blog / home / blog 。
我如何编写这个Docker文件,以便第一个RUN语句中的所有命令在第二组RUN语句执行之前发出新用户?
哇,那是激烈的。第二组命令从来没有提前完成。我看到了后续的RUN命令知道之前发生的事情的例子,所以我仍然不清楚这是如何确定的。
我发现的解决方案是在第一组命令中使用 su ,就在root创建目录和集合之后权限:
运行mkdir --parents$ WORDPRESS_DIR/ wp-content / uploads \
&& ; chown --recursive blog:blog$ WORDPRESS_DIR\
&&& chown --recursive blog:blog / home / blog \
&& su - blog -s / bin / bash -c'\
chmod u = rwx,g =,o = /home/blog/.ssh \
&& chmod u = rw,g =,o = /home/blog/.ssh/id_rsa \
...
&&& git clone git@gitlab.com:jb-merideoux / jbm-uploads.git'$ WORDPRESS_DIR'/ wp-content / uploads \
...
&& $ WORDPRES_DIR'设置完成'
如你所见,那是一些疯狂的引用,但幸运的是,您可以格式化命令,就好像它们直接提供给Dockerfile一样。我最终使用 USER blog 来做不依赖于早期的东西的事情,但是我猜想有时候使用Docker,你必须输入一大堆命令在一起,但我可以把所有这一切分成一个单独的脚本...
I'm writing a Dockerfile where the root user creates a user named blog to manage website deployment. I'm using the Docker Hub wordpress container as a base. The root user creates folders under /var/www/html and gives the blog user permissions to write underneath.
In the next set of RUN commands following USER blog, these commands do not acknowledge the previous state where blog user was given permission to write in /var/www/html. This user needs to clone a git repo in there, but I get the error fatal: could not create leading directories of '/var/www/html/wp-content/uploads': Permission denied due to the new user not being able to write there, despite setting permissions for this user previously.
Here are the commands I'm using to create the blog user, copy files to their home directory, and then clone a repo with this user:
ENV WORDPRESS_DB_USER=wp_blog \
WORDPRESS_DB_NAME=wp_blog \
WORDPRESS_DIR=/var/www/html \
TERM=xterm
# Setup the WordPress site user
# Preliminary command
RUN useradd --create-home --shell /bin/false --groups www-data blog
COPY id_rsa* known_hosts /home/blog/.ssh/
## First set of commands
RUN mkdir --parents "$WORDPRESS_DIR"/wp-content/uploads \
&& chown --recursive blog:blog "$WORDPRESS_DIR" \
&& chown --recursive blog:blog /home/blog
USER blog
## Second set of commands
RUN chmod u=rw,g=,o= /home/blog/.ssh/id_rsa \
&& chmod u=rw,g=r,o=r /home/blog/.ssh/id_rsa.pub \
&& chmod u=rw,g=r,o=r /home/blog/.ssh/known_hosts \
&& eval $(ssh-agent -s) \
&& ssh-add \
&& export PATH=$PATH:/usr/sbin \
# Use the WordPress user to download the content repo and hooks
# The following command results in a permissions error:
&& git clone git@gitlab.com:jb-merideoux/jbm-uploads.git "$WORDPRESS_DIR"/wp-content/uploads \
&& mkdir --parents /home/blog/git/wpgithooks \
&& cd /home/blog/git/wpgithooks \
&& git clone git@github.com:enderandpeter/wpgithooks.git /home/blog/git/wpgithooks \
&& git checkout --git-dir=/home/blog/git/wpgithooks/.git --track origin/wpaddons \
&& chmod u+x /home/blog/git/wpgithooks/*.sh \
&& echo Run the script at /home/blog/git/wpgithooks/setup.sh to get started
The blog user is able to set permissions for the copied SSH key pair, but it cannot if the chown --recursive blog:blog /home/blog command is not present. I would think that the previous chown --recursive blog:blog "$WORDPRESS_DIR" command would have an equal effect on whether or not the blog user can write in /var/www/html in the same set of commands where blog changes permissions for files copied to its home by root after the root user made sure everything under /home/blog was owned by blog. Somehow, the permissions for /home/blog are in effect in the second set of RUN commands, but not the permissions for /var/www/html.
Upon closer inspection, it would appear that the mkdir --parents "$WORDPRESS_DIR"/wp-content/uploads instruction has not run either because when I precede the git clone command with something to create a file like touch "$WORDPRESS_DIR"/wp-content/uploads/afile, the error is touch: cannot touch '/var/www/html/wp-content/uploads/afile': No such file or directory.
When I try to createafile in /var/www/html/ (which already exists because it was created by the base wordpress container), I get the error touch: cannot touch '/var/www/html/afile': Permission denied, indicating that the chown --recursive blog:blog "$WORDPRESS_DIR" command was not acknowledged. Of the three commands in the first set of RUN statements, it looks like the only one acknowledged by the second set of RUN statements is chown --recursive blog:blog /home/blog.
How might I write this Dockerfile so that all of the commands in the first RUN statement have been issued by the time the second set of RUN statements are executed by the new user?
Wow, that was intense. The second set of commands just never pick up on what was done beforehand. I've seen examples where subsequent RUN commands are aware of things that happened in previous ones, so I'm still not clear on just how that is determined.
The solution I found was to use su in the first set of commands, right after root creates directories and sets permissions:
RUN mkdir --parents "$WORDPRESS_DIR"/wp-content/uploads \
&& chown --recursive blog:blog "$WORDPRESS_DIR" \
&& chown --recursive blog:blog /home/blog \
&& su - blog -s /bin/bash -c '\
chmod u=rwx,g=,o= /home/blog/.ssh \
&& chmod u=rw,g=,o= /home/blog/.ssh/id_rsa \
...
&& git clone git@gitlab.com:jb-merideoux/jbm-uploads.git '"$WORDPRESS_DIR"'/wp-content/uploads \
...
&& echo '"$WORDPRES_DIR"' setup complete.'
As you can see, that is some insane quoting, but luckily you can format the commands exactly as though they were given straight to the Dockerfile. I did use USER blog at the very end to do things that didn't depend on the earlier stuff, but I guess sometimes with Docker, you have to string a whole bunch of commands together, but I can probably get all this into a separate script...
这篇关于如何影响Docker文件中RUN命令的顺序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
