堆栈内存溢出
  简体   繁体   English

使用 docker-compose 在 docker 容器中安装 Cifs

[英]Cifs mount in docker container with docker-compose

 原文  2020-09-08 09:03:06       docker/ docker-compose/ cifs

问题描述

I want to cif mount a directory into a docker-container.我想将目录 cif 挂载到 docker-container 中。 As there are solutions to this, I tried the --privileged flag and setting the capabilities needed:由于有解决方案,我尝试了 --privileged 标志并设置了所需的功能:

docker-compose.yaml: docker-compose.yaml:

version: '2.0'
services:
  mounttest:
    image: test

    privileged: true
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
    
    restart: unless-stopped
    container_name: test
    mem_limit: 500m
    build:
      context: .
      dockerfile: Dockerfile
    volumes:
      - .:/apps/docker-test/

Dockerfile: Dockerfile:

FROM ubuntu:18.04

ADD . /apps/docker-test/

# APT-GET
RUN apt-get update && apt-get install -y \
    sudo \
    cifs-utils

# CHMOD SHELL SCRIPTS
RUN chmod 0755 /apps/docker-test/run.sh
RUN chmod 0755 /apps/docker-test/build.sh

RUN /apps/docker-test/build.sh
CMD bash /apps/docker-test/run.sh

build.sh:构建.sh:

mkdir -p /test_folder
echo "Mount"
sudo mount -t cifs -o username=XXX,password=XXX,workgroup=XX //server/adress$ /test_folder

run.sh starts a python script run.sh 启动一个 python 脚本

This does not work, instead:这不起作用,而是:

docker-compose build

gives me the error:给我错误:

Unable to apply new capability set

All the solutions I found only mention the privileged flag or capabilities, which are set.我发现的所有解决方案都只提到了设置的特权标志或功能。 Can anyone help?任何人都可以帮忙吗?

2 个解决方案

解决方案1
 2  2020-09-09 11:00:20

This error happens because you're trying to mount a device inside the build step.发生此错误是因为您尝试在build步骤中安装设备。 At this point, these capabilities aren't available for the build container to use and it seems to be rolling out asa flag for disabling security at buildkit rather than enabling custom capabilities at build time.在这一点上,这些功能不可用于构建容器,它似乎是作为一个标志推出,用于在构建套件中禁用安全性,而不是在构建时启用自定义功能。

The usual way to do that is to have your CIFS mount ready when you start your build process, as it'd not expose any authentication, device or mount point, as well as it's easier for docker to handle changes and react to them (since the build process works hard to cache everything before building it).通常的做法是在开始构建过程时准备好 CIFS 挂载,因为它不会暴露任何身份验证、设备或挂载点,而且 docker 更容易处理更改并对它们做出反应(因为构建过程努力在构建之前缓存所有内容)。

If you still want to do that, you'll need a few extra steps to enable the insecure flags from both the buildkitd and the docker buildx :如果你仍然想这样做,你需要一些额外的步骤来启用来自buildkitddocker buildx的不安全标志:

Mind that, as of today (2020-09-09), the support is still experimental and unforeseen consequences can happen.请注意,截至今天 (2020-09-09),支持仍处于试验阶段,可能会发生不可预见的后果。

  1. Ensure that you're using docker version 19.03 or later.确保您使用的是 docker 19.03 或更高版本。
  2. Enable the experimental features, by adding the key "experimental":"enabled" to your ~/.docker/config.json通过在~/.docker/config.json添加密钥"experimental":"enabled"来启用实验性功能
  3. Create and use a builder that has the security.insecure entitlement enabled:创建并使用启用了security.insecure权利的构建器:
docker buildx create --driver docker-container --name local \
      --buildkitd-flags '--allow-insecure-entitlement security.insecure' \
      --use
  1. Change your Dockerfile to use experimental syntax by adding before your first line:通过在第一行之前添加来更改您的Dockerfile以使用实验性语法:
# syntax = docker/dockerfile:experimental
  1. Change the Dockerfile instruction so it runs the code without security constraints:更改 Dockerfile 指令,使其在没有安全约束的情况下运行代码:
RUN --security=insecure /apps/docker-test/build.sh
  1. Build your docker image using the BuildKit and the --allow security.insecure flag:使用 BuildKit 和--allow security.insecure标志构建您的 docker 镜像:
docker buildx build --allow security.insecure .

That way your build will be able to break free the security constraints.这样你的构建将能够打破安全限制。 I must reiterate that that's not a recommended practice for a few reasons:我必须重申,出于以下几个原因,这不是推荐的做法:

  • It'll expose the building step for other images to escalate that permission hole.它将公开其他图像的构建步骤以升级该权限漏洞。
  • The builder cannot properly cache that layer, since it's using insecure features.构建器无法正确缓存该层,因为它使用了不安全的功能。

Keep that in mind and happy mounting :)记住这一点并快乐安装:)

解决方案2
 0 已采纳  2020-09-09 15:45:00

The answer I found, is to put the mount command into the run.sh file.我找到的答案是将 mount 命令放入 run.sh 文件中。 As the command (or CMD) in the Dockerfile is only executed when running由于 Dockerfile 中的命令(或 CMD)仅在运行时执行

docker-compose up

the mount will only be executed after the build, done beforehand, is already finished.只有在预先完成的构建已经完成后才会执行安装。

Therefore, before starting the python script, the mount command is executed.因此,在启动python脚本之前,先执行mount命令。 In my case, that only worked with the privileged flag set to true.就我而言,这仅适用于将特权标志设置为 true 的情况。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 docker 无法使用 docker-compose 将主机目录安装到 docker 容器 - docker unable to mount host directory to docker container with docker-compose 如何使用docker-compose将localhost卷挂载到docker容器 - how to mount localhost volume to a docker container using docker-compose Windows 上 Docker-compose 中的 SMB/CIFS 卷 - SMB/CIFS volume in Docker-compose on Windows 在 Docker 容器中挂载 SMB/CIFS 共享 - Mount SMB/CIFS share within a Docker container 无法在Docker容器中挂载cifs文件系统 - Unable to mount cifs filesystem in Docker container Docker-compose 挂载文件夹 - Docker-compose mount folder docker-compose 只将主机上存在的文件挂载到容器 - docker-compose only mount files that exist on host to container 使用docker-compose挂载WordPress在NGINX容器的子目录中命名的卷 - Mount WordPress named volume in subdirectory of NGINX container with docker-compose 无法从 docker-compose 文件将本地目录挂载到容器中 - Cannot mount local directory into container from docker-compose file 是否可以使用 docker-compose 在同一个容器中安装一个安装和卷? - Is it possible to have a mount and volume in the same container using docker-compose?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM