Docker主机安装的卷权限
[英]Docker host-mounted volume permissions
问题描述
In our internal testing environment we provision CentOS VMs from a vSphere-based server. 
在我们的内部测试环境中,我们从基于vSphere的服务器中配置CentOS VM。 The images are vanilla 7.1 with packages and associated configuration to support authentication via LDAP. 这些图像是带有包和相关配置的vanilla 7.1,以支持通过LDAP进行身份验证。 I have Docker 1.13.1 installed with OverlayFS driver on an xfs filesystem. 我在xfs文件系统上安装了带有OverlayFS驱动程序的Docker 1.13.1。
FROM centos:7
RUN useradd dockeruser
USER dockeruser
VOLUME /data
On the host: 在主持人:
mkdir data
echo "hello from host" > data/host-msg.txt
docker run -ti --rm -v $(pwd)/data:/data testimage bash
Inside the container: 在容器内:
echo "hello from container" > /data/container-msg.txt
bash: /data/container-msg.txt: Permission denied
Listing the directory contents inside the container: 在容器中列出目录内容:
drwxr-xr-x 2 12345 13000 25 Feb 12 21:36 data
drwxr-xr-x 5 root root 360 Feb 12 21:36 dev
drwxr-xr-x 1 root root 62 Feb 12 21:36 etc
The data directory shows the ownership in uid/gid format rather than username/groupname. data目录以uid / gid格式显示所有权,而不是username / groupname。
I have read many articles and questions describing this behavior and various strategies to workaround . 我看了很多文章,描述这种行为的问题和不同的 策略来解决办法 。
But . 但是 。 On my local Fedora 25 development system I get none of this behavior. 在我当地的Fedora 25开发系统中,我没有这种行为。 I perform the procedure above, am able to write to the host-mounted /data mount, and the directory listing displays username/groupname. 我执行上面的过程,能够写入主机挂载/数据挂载,目录列表显示用户名/组名。
/
drwxrwxr-x 2 dockeruser dockeruser 4096 Feb 12 04:36 data
drwxr-xr-x 5 root root 360 Feb 12 22:00 dev
drwxr-xr-x 1 root root 4096 Feb 12 22:00 etc
/data
-rw-rw-r-- 1 dockeruser dockeruser 21 Feb 12 22:04 container-msg.txt
To make everything as similar as possible to the lab configuration I stood up a CentOS 7.1 VM on my dev system via libvirt and again got the same results -- no messing with uid/gid mapping, user namespaces, nothing. 为了使一切尽可能与实验室配置相似,我通过libvirt在我的开发系统上建立了一个CentOS 7.1 VM,并再次得到了相同的结果 - 没有弄乱uid / gid映射,用户命名空间,什么都没有。 Writing to the host mounted volume from inside the container Just Worked, out of the box. 从容器内部写入主机安装的卷Just Worked,开箱即用。
What could possibly account for this behavior? 有什么可能解释这种行为? Is the LDAP on the lab VM somehow introducing permission issues at the filesystem level? 实验室VM上的LDAP是否以某种方式在文件系统级别引入权限问题? is there something specific I could ask our ops team to either inspect or temporarily disable to try and troubleshoot this issue? 有什么具体的东西,我可以要求我们的运营团队检查或暂时禁用尝试解决此问题?
Finally and perhaps most important, if permissions issues on host-mounted volumes don't seem to be issues at all for me either on a clean CentOS or Fedora Workstation then why does it still continue to be a thing in the Docker community? 最后也许是最重要的一点,如果主机安装卷上的权限问题对于我来说在一个干净的CentOS或Fedora工作站上似乎根本不是问题那么为什么它仍然是Docker社区中的一个东西呢? Is there some configuration in these setups that is so fundamentally different from what everyone else is using (my team's lab VMs included) that things just work? 这些设置中是否有一些配置与其他人使用的配置(包括我的团队的实验室虚拟机)根本不同,事情才有效?
1 个解决方案
解决方案1
0 2017-02-13 05:14:03
The data directory shows the ownership in uid/gid format rather than username/groupname.
This is because your container does not have a mapping for this uid/guid (check /etc/passwd). 这是因为您的容器没有此uid / guid的映射(检查/ etc / passwd)。 In fact, the actually files have uid/guid always . 实际上,实际文件总是有uid / guid。 It's just a function of the application/os to give back the names. 它只是应用程序/操作系统的一个功能,可以返回名称。 Try to stat the path from inside/outside container. 尝试从容器内部/外部stat路径。 They should have same uid/guid 他们应该有相同的uid / guid
stat /data
stat /path/on/host
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.