[英]How to give non-root user in Docker container access to a volume mounted on the host
I am running my application in a Docker container as a non-root user.我以非 root 用户身份在 Docker 容器中运行我的应用程序。 I did this since it is one of the best practices.
我这样做是因为这是最佳实践之一。 However, while running the container I mount a host volume to it
-v /some/folder:/some/folder
.但是,在运行容器时,我将主机卷安装到它
-v /some/folder:/some/folder
。 I am doing this because my application running inside the docker container needs to write files to the mounted host folder.我这样做是因为我在 docker 容器内运行的应用程序需要将文件写入挂载的主机文件夹。 But since I am running my application as a non-root user, it doesn't have permission to write to that folder
但是由于我以非 root 用户身份运行我的应用程序,因此它无权写入该文件夹
Question题
Is it possible to give a nonroot user in a docker container access to the hosted volume?是否可以让 docker 容器中的非 root 用户访问托管卷?
If not, is my only option to run the process in docker container as root?如果没有,我唯一的选择是在 docker 容器中以 root 身份运行进程吗?
There's no magic solution here: permissions inside docker are managed the same as permissions without docker.这里没有神奇的解决方案:docker 内部的权限管理与没有 docker 的权限相同。 You need to run the appropriate
chown
and chmod
commands to change the permissions of the directory.您需要运行适当的
chown
和chmod
命令来更改目录的权限。
One solution is to have your container run as root and use an ENTRYPOINT
script to make the appropriate permission changes, and then your CMD
as an unprivileged user.一种解决方案是让您的容器以 root 身份运行并使用
ENTRYPOINT
脚本进行适当的权限更改,然后您的CMD
以非特权用户身份运行。 For example, put the following in entrypoint.sh
:例如,将以下内容放入
entrypoint.sh
:
#!/bin/sh
chown -R appuser:appgroup /path/to/volume
exec runuser -u appuser "$@"
This assumes you have the runuser
command available.这假设您有可用的
runuser
命令。 You can accomplish pretty much the same thing using sudo
instead.您可以使用
sudo
来完成几乎相同的事情。
Use the above script by including an ENTRYPOINT
directive in your Dockerfile:通过在
ENTRYPOINT
中包含ENTRYPOINT
指令来使用上述脚本:
FROM baseimage
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/bin/sh", "entrypoint.sh"]
CMD ["/usr/bin/myapp"]
This will start the container with:这将启动容器:
/bin/sh entrypoint.sh /usr/bin/myapp
The entrypoint script will make the required permissions changes, then run /usr/bin/myapp
as appuser
.入口点脚本将进行所需的权限更改,然后以
appuser
身份运行/usr/bin/myapp
。
There will throw error if host env don't have appuser
or appgroup
, so better to use a User ID instead of user name:如果主机 env 没有
appuser
或appgroup
,则会抛出错误,因此最好使用用户 ID 而不是用户名:
inside your container , run在你的容器内,运行
appuser$ id
This will show:这将显示:
uid=1000(appuser) gid=1000(appuser) groups=1000(appuser)
uid=1000(appuser) gid=1000(appuser) 组=1000(appuser)
From host env, run:从主机环境,运行:
mkdir -p /some/folder
chown -R 1000:1000 /some/folder
docker run -v /some/folder:/some/folder [your_container]
inside your container , check在您的容器内,检查
ls -lh
to see the user and group name, if it's not root
, then it's should worked.查看用户和组名,如果它不是
root
,那么它应该可以工作。
In the specific situation of using an image built from a custom Dockerfile, you can do the following (using example commands for a debian image):在使用自定义 Dockerfile 构建的镜像的具体情况下,您可以执行以下操作(使用 debian 镜像的示例命令):
FROM baseimage
...
RUN useradd --create-home appuser
USER appuser
RUN mkdir /home/appuser/my_volume
...
Then mount the volume using然后使用挂载卷
-v /some/folder:/home/appuser/my_volume
Now appuser
has write permissions to the volume as it's in their home directory.现在
appuser
拥有对该卷的写入权限,因为它位于其主目录中。 If the volume has to be mounted outside of their home directory, you can create it and assign appuser
write permissions as an extra step within the Dockerfile.如果卷必须安装在其主目录之外,您可以创建它并分配
appuser
写入权限作为 Dockerfile 中的一个额外步骤。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.