共享主机驱动器安装到两个Docker容器的权限问题

Question

Given I have 2 containers, Weblogic and Tomcat.

Weblogic runs under oracle user, Tomcat runs under root user.

I use the same volume mapping for both services, so that application deployed in Tomcat orchestrates business process in which application deployed in Weblogic saves files to that shared folder.

I came across the issue with permissions because Tomcat runs under root (creates directory structure with root owner and group) and Weblogic running under oracle can't save files.

What is the best way to handle shared host data folder between two containers and avoid problems with permissions?

Answer 1

The unix/linux solutions to this are to use either:

1. The same UID and open permissions on the user
2. The same GID and open permissions on the group
3. None of the above and open permissions for everyone

These options all apply identically for apps running inside of containers.

The third option is least ideal since it allows anyone on the host to modify these files. However, implementing it is a quick chmod -R 777 dir and updating the umask to be 000 for any apps that create files in that directory.

That leaves option 1 or 2. Option 1 means either dropping root for Tomcat, or running Weblogic as root, the former being preferred but may not be possible depending on the app.

If option 1 isn't possible, try using a common group between the two apps. Add the users to the same GID in both images, and in your directory, change the group to that common GID and set the group sticky bit in your permissions to ensure every file in that directory are also created as that group.

chgrp $gid dir
chmod g+s dir