将目录挂载到容器不适用于 podman
mount directory to container won't work with podman
因为我有 fedora,所以我尝试 运行 他们教程中的 nginx 示例,但我没有让 nginx 显示任何内容。
当我运行这个容器时:
podman run --name mynginx1 -p 8080:80 -d nginx
我收到 欢迎使用 nginx! 页面。
但是当我尝试 运行 安装目录的示例时:
podman run --name mynginx2 \
--mount type=bind,source=/home/simon/Dokumente/podman/nginx/content,target=/usr/share/nginx/html \
-p 9080:80 -d nginx
我也看到 欢迎使用 nginx! 页面,但我在该源目录中有一个 index.html 文件。
那个容器有什么问题?
当我们绑定卷时,它失去了对路径 /usr/share/nginx/html 的权限。这是因为 SELinux 强制执行。
mynginx1
root@f3fb6ece7eba:/usr/share/nginx/html# ls
50x.html index.html
mynginx2
root@af0803674402:/usr/share/nginx/html# ls
ls: cannot open directory '.': Permission denied
检查主机的 SELinux 策略,运行s podman。
$ getenforce
Enforcing
如果它处于 Enforcing 模式,请将其更改为 Permissive。
$ sudo setenforce 0
$ getenforce
Permissive
重新运行mynginx2容器,exec并访问/usr/share/nginx/html
的内容
$ podman run --name mynginx2 --mount type=bind,source=/home/tc/q2,target=/usr/share/nginx/html -p 9080:80 -d nginx
7ff2bdfb7ccfc6f90a9bd7957b08e48ea72d7c2303d47d11a412c6c8601976b6
$ podman exec -it mynginx2 bash
root@7ff2bdfb7ccf:/# cd /usr/share/nginx/html/
root@7ff2bdfb7ccf:/usr/share/nginx/html# ls
index.html
$ curl -I -s 127.0.0.1:8080
HTTP/1.1 200 OK
$ curl -I 127.0.0.1:9080
HTTP/1.1 200 OK
您可以 运行 带有 --privileged 标志的 podman 命令来禁用主机隔离:
$ podman run --name mynginx2 --privileged \
--mount type=bind,source=/home/simon/Dokumente/podman/nginx/content,target=/usr/share/nginx/html \
-p 9080:80 -d nginx
来自 podman 手册页:
--privileged=true|false
Give extended privileges to this container. The default is false.
By default, Podman containers are unprivileged (=false) and cannot,
for example, modify parts of the operating system. This is because by
default a container is only allowed limited access to devices. A
"privileged" container is given the same access to devices as the user
launching the container.
A privileged container turns off the security features that isolate
the container from the host. Dropped Capabilities, limited devices,
read-only mount points, Apparmor/SELinux separation, and Seccomp
filters are all disabled.
Rootless containers cannot have more privileges than the account that
launched them.
是的,确实是@harik 的 SElinux 问题,但禁用 selinux 不是一个安全的选项,而是在安装卷时应用 Z 标志,这涉及应用适当的标签 here and also here
podman run --name mynginx2 \
-v /home/simon/Dokumente/podman/nginx/content:/usr/share/nginx/html:Z \
-p 9080:80 -d nginx
因为我有 fedora,所以我尝试 运行 他们教程中的 nginx 示例,但我没有让 nginx 显示任何内容。
当我运行这个容器时:
podman run --name mynginx1 -p 8080:80 -d nginx
我收到 欢迎使用 nginx! 页面。
但是当我尝试 运行 安装目录的示例时:
podman run --name mynginx2 \
--mount type=bind,source=/home/simon/Dokumente/podman/nginx/content,target=/usr/share/nginx/html \
-p 9080:80 -d nginx
我也看到 欢迎使用 nginx! 页面,但我在该源目录中有一个 index.html 文件。
那个容器有什么问题?
当我们绑定卷时,它失去了对路径 /usr/share/nginx/html 的权限。这是因为 SELinux 强制执行。
mynginx1
root@f3fb6ece7eba:/usr/share/nginx/html# ls
50x.html index.html
mynginx2
root@af0803674402:/usr/share/nginx/html# ls
ls: cannot open directory '.': Permission denied
检查主机的 SELinux 策略,运行s podman。
$ getenforce
Enforcing
如果它处于 Enforcing 模式,请将其更改为 Permissive。
$ sudo setenforce 0
$ getenforce
Permissive
重新运行mynginx2容器,exec并访问/usr/share/nginx/html
$ podman run --name mynginx2 --mount type=bind,source=/home/tc/q2,target=/usr/share/nginx/html -p 9080:80 -d nginx
7ff2bdfb7ccfc6f90a9bd7957b08e48ea72d7c2303d47d11a412c6c8601976b6
$ podman exec -it mynginx2 bash
root@7ff2bdfb7ccf:/# cd /usr/share/nginx/html/
root@7ff2bdfb7ccf:/usr/share/nginx/html# ls
index.html
$ curl -I -s 127.0.0.1:8080
HTTP/1.1 200 OK
$ curl -I 127.0.0.1:9080
HTTP/1.1 200 OK
您可以 运行 带有 --privileged 标志的 podman 命令来禁用主机隔离:
$ podman run --name mynginx2 --privileged \
--mount type=bind,source=/home/simon/Dokumente/podman/nginx/content,target=/usr/share/nginx/html \
-p 9080:80 -d nginx
来自 podman 手册页:
--privileged=true|false
Give extended privileges to this container. The default is false.
By default, Podman containers are unprivileged (=false) and cannot, for example, modify parts of the operating system. This is because by default a container is only allowed limited access to devices. A "privileged" container is given the same access to devices as the user launching the container.
A privileged container turns off the security features that isolate the container from the host. Dropped Capabilities, limited devices, read-only mount points, Apparmor/SELinux separation, and Seccomp filters are all disabled.
Rootless containers cannot have more privileges than the account that launched them.
是的,确实是@harik 的 SElinux 问题,但禁用 selinux 不是一个安全的选项,而是在安装卷时应用 Z 标志,这涉及应用适当的标签 here and also here
podman run --name mynginx2 \
-v /home/simon/Dokumente/podman/nginx/content:/usr/share/nginx/html:Z \
-p 9080:80 -d nginx