[英]Docker access permissions on mounted volumes. Why do they belong to root?
I've set up Docker to run as a non-root user . 我已经将Docker设置为以非root用户身份运行。 Now I can start my containers as an ordinary user and I feel more comfortable.
现在,我可以以普通用户的身份启动容器了,我感觉更加舒适。
me@machine:~$ docker run -it -v ~/test:/test alpine:3.6 sh
/ # touch /test/test1
Meanwhile on the host: 同时在主机上:
me@machine:~$ ls -l ~/test/
total 0
-rw-r--r-- 1 root root 0 Jul 31 15:50 test1
Why do the files belong to root
? 为什么文件属于
root
? How can I make them and all created files in the container belong to me
? 如何使它们和容器中所有创建的文件属于
me
?
Interesting fact: This happens on Debian Linux. 有趣的事实:这在Debian Linux上发生。 Contrary, doing the same on a Mac, the created files would belong to
me
. 相反,在Mac上执行相同的操作,创建的文件将属于
me
。
Mac OS Docker and Linux Docker have lot of changes in behavior. Mac OS Docker和Linux Docker在行为上有很多变化。 So ignore that part.
因此,请忽略该部分。 Focus on the side of Linux.
专注于Linux方面。
What you did using https://docs.docker.com/engine/installation/linux/linux-postinstall/#manage-docker-as-a-non-root-user
basically just means that a non-root user has access to the docker group. 您使用
https://docs.docker.com/engine/installation/linux/linux-postinstall/#manage-docker-as-a-non-root-user
所做的操作基本上只是意味着非root用户可以访问码头工人组。 Through that docker group you are able to execute docker command. 通过该docker组,您可以执行docker命令。 But docker daemon is still running as root user.
但是docker daemon仍以root用户身份运行。
That you can confirm by running 您可以通过运行来确认
ps aux | grep dockerd
And when you do a volume mapping, the directory gets created by docker, which eventually has root user permission. 而且,当您执行卷映射时,该目录由docker创建,该目录最终具有root用户权限。 What you are looking for has been launched very recently as
Docker user namespaces
. 您正在寻找的内容最近已作为
Docker user namespaces
。 Please read the details on below URL 请阅读以下网址的详细信息
https://success.docker.com/KBase/Introduction_to_User_Namespaces_in_Docker_Engine https://success.docker.com/KBase/Introduction_to_User_Namespaces_in_Docker_Engine
This will guide you how to run your docker containers with a mapped user instead of root. 这将指导您如何使用映射用户而不是root用户运行docker容器。 In short create/update
/etc/docker/daemon.json
file to have below content 简而言之,创建/更新
/etc/docker/daemon.json
文件以包含以下内容
/etc/docker/daemon.json /etc/docker/daemon.json
{
"userns-remap": "<a non root user>"
}
And restart the docker service. 并重新启动docker服务。 Now your docker containers inside will think they have root privileges but they would run as a non-root user on host
现在,您内部的Docker容器将认为它们具有root特权,但它们将以非root用户身份在主机上运行
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.