如何让 Docker 容器中的非 root 用户访问安装在主机上的卷
[英]How to give non-root user in Docker container access to a volume mounted on the host
问题描述
I am running my application in a Docker container as a non-root user.
我以非 root 用户身份在 Docker 容器中运行我的应用程序。 I did this since it is one of the best practices.我这样做是因为这是最佳实践之一。 However, while running the container I mount a host volume to it -v /some/folder:/some/folder .但是,在运行容器时,我将主机卷安装到它-v /some/folder:/some/folder 。 I am doing this because my application running inside the docker container needs to write files to the mounted host folder.我这样做是因为我在 docker 容器内运行的应用程序需要将文件写入挂载的主机文件夹。 But since I am running my application as a non-root user, it doesn't have permission to write to that folder但是由于我以非 root 用户身份运行我的应用程序,因此它无权写入该文件夹
Question题
Is it possible to give a nonroot user in a docker container access to the hosted volume?是否可以让 docker 容器中的非 root 用户访问托管卷?
If not, is my only option to run the process in docker container as root?如果没有,我唯一的选择是在 docker 容器中以 root 身份运行进程吗?
3 个解决方案
解决方案1
34 已采纳 2016-09-08 19:10:21
There's no magic solution here: permissions inside docker are managed the same as permissions without docker.这里没有神奇的解决方案:docker 内部的权限管理与没有 docker 的权限相同。 You need to run the appropriate chown and chmod commands to change the permissions of the directory.您需要运行适当的chown和chmod命令来更改目录的权限。
One solution is to have your container run as root and use an ENTRYPOINT script to make the appropriate permission changes, and then your CMD as an unprivileged user.一种解决方案是让您的容器以 root 身份运行并使用ENTRYPOINT脚本进行适当的权限更改,然后您的CMD以非特权用户身份运行。 For example, put the following in entrypoint.sh :例如,将以下内容放入entrypoint.sh :
#!/bin/sh
chown -R appuser:appgroup /path/to/volume
exec runuser -u appuser "$@"
This assumes you have the runuser command available.这假设您有可用的runuser命令。 You can accomplish pretty much the same thing using sudo instead.您可以使用sudo来完成几乎相同的事情。
Use the above script by including an ENTRYPOINT directive in your Dockerfile:通过在ENTRYPOINT中包含ENTRYPOINT指令来使用上述脚本:
FROM baseimage
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/bin/sh", "entrypoint.sh"]
CMD ["/usr/bin/myapp"]
This will start the container with:这将启动容器:
/bin/sh entrypoint.sh /usr/bin/myapp
The entrypoint script will make the required permissions changes, then run /usr/bin/myapp as appuser .入口点脚本将进行所需的权限更改,然后以appuser身份运行/usr/bin/myapp 。
解决方案2
14 2017-08-14 11:16:23
There will throw error if host env don't have appuser or appgroup , so better to use a User ID instead of user name:如果主机 env 没有appuser或appgroup ,则会抛出错误,因此最好使用用户 ID 而不是用户名:
inside your container , run在你的容器内,运行
appuser$ id
This will show:这将显示:
uid=1000(appuser) gid=1000(appuser) groups=1000(appuser)
From host env, run:从主机环境,运行:
mkdir -p /some/folder
chown -R 1000:1000 /some/folder
docker run -v /some/folder:/some/folder [your_container]
inside your container , check在您的容器内,检查
ls -lh
to see the user and group name, if it's not root , then it's should worked.查看用户和组名,如果它不是root ,那么它应该可以工作。
解决方案3
2 2021-07-09 09:45:31
In the specific situation of using an image built from a custom Dockerfile, you can do the following (using example commands for a debian image):在使用自定义 Dockerfile 构建的镜像的具体情况下,您可以执行以下操作(使用 debian 镜像的示例命令):
FROM baseimage
...
RUN useradd --create-home appuser
USER appuser
RUN mkdir /home/appuser/my_volume
...
Then mount the volume using然后使用挂载卷
-v /some/folder:/home/appuser/my_volume
Now appuser has write permissions to the volume as it's in their home directory.现在appuser拥有对该卷的写入权限,因为它位于其主目录中。 If the volume has to be mounted outside of their home directory, you can create it and assign appuser write permissions as an extra step within the Dockerfile.如果卷必须安装在其主目录之外,您可以创建它并分配appuser写入权限作为 Dockerfile 中的一个额外步骤。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.