[英]Permission denied: Shared volume write and Read failing on Github Actions
[英]Permission denied when python app tries to write log file into shared volume in docker
我正在尝试编写一个简单的 python 应用程序以使用非 root 用户在 docker 中运行,并且我想登录日志文件的共享卷。
docker-compose.yml
version: '3.7'
services:
testapp:
hostname: pythonapp
container_name: pythonapp
build:
context: .
dockerfile: Dockerfile
environment:
- TZ=Europe/Rome
ports:
- "8080:8080"
volumes:
- ./log:/home/pythonapp/src/log
docker 构建文件
FROM python:3
# set environment variables
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1
# Create a user with given UID.
RUN useradd -m -u 5000 pythonapp
USER pythonapp
RUN id
RUN mkdir -p /home/pythonapp/src/log
RUN chown -R pythonapp:pythonapp /home/pythonapp
WORKDIR /home/pythonapp/src
## copy from host to container files
COPY --chown=pythonapp:pythonapp . .
## install dependencies
RUN pip install --user --upgrade pip
RUN pip install --user -r requirements.txt
CMD ["python", "/home/pythonapp/src/pythonapp.py", "-p", "8080"]
在构建图像之前,我在主机中创建了日志文件夹。
mkdir log
ls -la
>>> drwxrwxr-x 2 tabita tabita 4096 ott 2 19:16 log
setfacl -m u:5000:rwx ./log
ls -la
>>> drwxrwxr-x+ 2 tabita tabita 4096 ott 2 19:16 log
getfacl log/
>>># file: log/
# owner: tabita
# group: tabita
user::rwx
user:5000:rw-
group::rwx
mask::rwx
other::r-x
然后我使用 docker-compose 创建了图像
docker-compose -f docker-compose.yml up --build -v
但是,我在这里收到错误
pythonapp | /home/pythonapp/src
pythonapp | pythonapp
pythonapp | uid=5000(pythonapp) gid=5000(pythonapp) groups=5000(pythonapp)
pythonapp | Traceback (most recent call last):
pythonapp | File "/home/pythonapp/src/ssh_honeypot.py", line 28, in <module>
pythonapp | logging.basicConfig(
pythonapp | File "/usr/local/lib/python3.9/logging/__init__.py", line 2003, in basicConfig
pythonapp | h = FileHandler(filename, mode,
pythonapp | File "/usr/local/lib/python3.9/logging/__init__.py", line 1146, in __init__
pythonapp | StreamHandler.__init__(self, self._open())
pythonapp | File "/usr/local/lib/python3.9/logging/__init__.py", line 1175, in _open
pythonapp | return open(self.baseFilename, self.mode, encoding=self.encoding,
pythonapp | PermissionError: [Errno 13] Permission denied: '/home/pythonapp/src/log/pythonapp.log'
pythonapp exited with code 1
调试
我试图进入容器并在日志文件夹中创建一个文件。 我可以创建一个,但从主机系统看不到创建的文件。
请你帮助我好吗?
我用这个脚本试过你的文件:
# pythonapp.py
with open('/home/pythonapp/src/log/test.txt', 'w') as f:
f.write("Hello world!")
仅当x
访问权限被授予用户5000
时,它才能很好地工作。
通过日志目录访问 go 需要此权限。
关于你的output,权限目前是rw-
getfacl log/
>>># file: log/
...
user:5000:rw-
...
由于你的程序看起来很准确,你能不能再试一次:
日志在我的工作目录下
UID:5000
的用户添加权限: setfacl -mu:5000:rwx log
rwx
是必需的
我认为 --tabular 是查看 ACL 权限的好选择
getfacl --tabular log # file: log USER <myuser> rwx user 5000 rwx GROUP <myuser> rwx mask rwx other rx
docker-compose up --build
Step 13/13: CMD ["python", "/home/pythonapp/src/pythonapp.py", "-p", "8080"] ---> Using cache ---> fcd2afb9f961 Successfully built fcd2afb9f961 Successfully tagged so_testapp:latest Starting pythonapp... done Attaching to pythonapp pythonapp exited with code 0
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.