Shulou(Shulou.com)06/01 Report--

This article mainly introduces Docker Volume's permission management example analysis, the article is very detailed, has a certain reference value, interested friends must read it!

Volume is an important concept in Docker. A data volume is a special catalog available to one or more containers that provides valuable features for container application storage:

Decouple persistent data from container lifecycle: the contents of a data volume can be preserved after container deletion. Named volumes introduced after Docker 1.9 make it easier to manage the lifecycle of data volumes; data volumes can be created and deleted independently.

Data volumes can be used to enable data sharing between containers

Can support different types of data storage implementations

Docker default provides support for host local file volumes, which can mount host directories into containers. Without the performance penalty associated with container hierarchical file systems, local file volumes are ideal for scenarios requiring high-performance data access, such as MySQL database file storage. Docker supports different types of data volumes through volume plugins, which can more flexibly address the storage requirements of different application loads. For example, in Alibaba Cloud Kubernetes Engine, cloud disk-based block storage, OSSFS and NAS/NFS based shared file storage can be provided for containers.

However, permissions management for Docker volumes is often confusing. This article will introduce common problems and solutions in Docker volume permission management with examples.

Start with Jenkins mount local volumes error

A recent colleague ran into a problem with Jenkins using containers, and the steps to reproduce it were as follows:

Note: Windows/Mac requires logging onto the Boot2docker virtual machine, but Linux does not.

docker-machine ssh default

Start Jenkins official mirror and check logs

docker run -d -p 8080:8080 -p 50000:50000 --name jenkins jenkinsdocker logs jenkins

We can see that the "jenkins" container log shows that everything is fine

However, in order to persist Jenkins configuration data, when we mount the data folder in the host's current directory to the directory "/var/jenkins_home" in the container, the problem arises:

docker rm -f jenkinsdocker run -d -p 8080:8080 -p 50000:50000 -v $(pwd)/data:/var/jenkins_home --name jenkins jenkinsdocker logs jenkins

The error log is as follows

touch: cannot touch '/var/jenkins_home/copy_reference_file.log': Permission denied

Can not write to /var/jenkins_home/copy_reference_file.log. Wrong volume permissions?

What was going on?

Let's check the "/var/jenkins_home" directory permissions of the previous boot mode to see the current user of the Jenkins container: the current user is "jenkins" and the "/var/jenkins_home" directory belongs to the jenkins user

docker@default:~$ docker run -ti --rm --entrypoint="/bin/bash" jenkins -c "whoami && id"jenkinsuid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)docker@default:~$ docker run -ti --rm --entrypoint="/bin/bash" jenkins -c "ls -la /var/jenkins_home"total 20drwxr-xr-x 2 jenkins jenkins 4096 Jun 5 08:39 .drwxr-xr-x 28 root root 4096 May 24 16:43 ..- rw-r--r-- 1 jenkins jenkins 220 Nov 12 2014 .bash_logout-rw-r--r-- 1 jenkins jenkins 3515 Nov 12 2014 .bashrc-rw-r--r-- 1 jenkins jenkins 675 Nov 12 2014 .profile

When mapping local volumes, the owner of/var/jenkins_home becomes root

docker run -ti --rm -v $(pwd)/data:/var/jenkins_home --entrypoint="/bin/bash" jenkins -c "ls -la /var/jenkins_home"total 4drwxr-sr-x 2 root staff 40 Jun 5 08:32 .drwxr-xr-x 28 root root 4096 May 24 16:43 ..

This explains why the Permission denied problem occurs when the user "jenkins" processes access the "/var/jenkins_home" directory

Let's check the data volume directory on the host again. The owner of the "data" directory under the current path is "root", which is because this directory is created by default by Docker process.

docker@default:~$ ls -la datatotal 0drwxr-sr-x 2 root staff 40 Jun 5 08:32 ./ drwxr-sr-x 5 docker staff 160 Jun 5 08:32 ../

Once the problem is identified, the solution is simple: assign the owner of the current directory to uid 1000, start the "jenkins" container and everything will be fine.

sudo chown -R 1000 datadocker start jenkins

At this point, visit http://192.168.99.100:8080/with your browser to see Jenkins 'Web interface. Note: If you cannot access it, you may need to obtain the IP address of the current Docker host via the docker-machine ip command.

When we look inside the container to see permissions for the directory "/var/jenkins_home", its owner has changed to "jenkins"

docker@default:~$ docker exec jenkins ls -la /var/jenkins_hometotal 24drwxr-sr-x 11 jenkins staff 340 Jun 5 09:00 .drwxr-xr-x 28 root root 4096 May 24 16:43 .. drwxr-sr-x 3 jenkins staff 60 Jun 5 08:59 .java-rw-r--r-- 1 jenkins staff 289 Jun 5 08:59 copy_reference_file.log...

What's interesting is that on the host we see that the "data" directory is owned by "docker", because the uid of the "docker" user on the "boot2docker" host is also "1000".

docker@default:~$ ls -la datatotal 20drwxr-sr-x 2 docker staff 40 Jun 5 11:55 ./ drwxr-sr-x 6 docker staff 180 Jun 5 11:55 ../...

At this point, we already know that the permissions of files/directories in the local data volume of the container are the same as those on the host, except that uid/gid may be mapped to different user/group names in Docker container and host.

Above, we used a common trick of executing chown on the host with uid instead of a specific username to ensure that the owner is set correctly.

Although the problem has been solved, the thinking has not ended. Because Jenkins containers rely on the correctness of host directory permissions when using local data volumes, this adds extra work to automated deployments. Is there a way for Jenkins containers to automatically set the correct permissions for volumes? This problem also has implications for many applications that run in a non-root mode.

Properly mount local volumes for non-root applications

We can find a lot of discussion on this topic at the omnipotent stackoverflow.com, one of which is very instructive.

http://stackoverflow.com/questions/23544282/what-is-the-best-way-to-manage-permissions-for-docker-shared-volumes

There are two basic ideas:

One is to share data volumes between containers using the Data Container approach. This circumvents the problem of resolving permissions on the data volume on the host. Since Docker provides named volumes instead of pure data containers after version 1.9, we still need to really fix this problem.

Another idea is to start the container as root, use the "chown" command in the container startup script to correct the data volume file permissions, and then switch to non-root to execute the program

Let's look at the second way to solve this problem.

Here's a Dockerfile based on Jenkins mirror: it switches to "root" and adds the command "gosu" to the mirror, along with the new entry point "/entrypoint.sh"

FROM jenkins:latestUSER rootRUN GOSU_SHA=5ec5d23079e94aea5f7ed92ee8a1a34bbf64c2d4053dadf383992908a2f9dc8a \ && curl -sSL -o /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/1.9/gosu-$(dpkg --print-architecture)" \ && chmod +x /usr/local/bin/gosu \ && echo "$GOSU_SHA /usr/local/bin/gosu" | sha256sum -c - COPY entrypoint.sh /entrypoint.shENTRYPOINT ["/entrypoint.sh"]

Note: gosu is a gadget that often appears in official Docker images. It is a lightweight alternative to the "su" and "sudo" commands and solves some of their problems in tty and signaling.

The new entry point "entrypoint.sh" reads as follows: it sets the "jenkins" ownership permission for the "JENKINS_HOME" directory and switches to the "jenkins" user to execute the "jenkins" application using the "gosu" command.

#! /bin/bashset -echown -R 1000 "$JENKINS_HOME"exec gosu jenkins /bin/tini -- /usr/local/bin/jenkins.sh

You can get the code directly from https://github.com/denverdino/docker-jenkins and build your own Jenkins image. The executive orders are as follows:

git clone https://github.com/AliyunContainerService/docker-jenkinscd docker-jenkins/jenkinsdocker build -t denverdino/jenkins .

Then start Jenkins container based on new image

docker rm -f jenkinsdocker run -d -p 8080:8080 -p 50000:50000 -v $(pwd)/data:/var/jenkins_home --name jenkins denverdino/jenkins The above is "Docker Volume permissions management example analysis" All the content of this article, thank you for reading! Hope to share the content to help everyone, more relevant knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.