运行 collectstatic 时,django Docker 容器内的 mkdir 权限被拒绝

Permission denied on mkdir inside of a django Docker container when running collectstatic

我修改了 django-cookiecutter 默认生产模板,使 caddy 网络服务器提供静态文件。我正在使用卷通过主机 ./static 目录映射 djangocaddy 容器中的 ./static 目录,但是我docker 在尝试创建 ./static.

的子文件夹时执行 python manage.py collectstatic --noinput 时出现权限错误

但是,如果我不切换到 django 容器的 Dockerfile 中的 django 用户,因此以 root 身份执行 collectstatic,一切正常。我猜容器中的 django 用户不允许写入主机目录,即使 chown -R django /app/static 已成功执行。

Traceback (most recent call last):
File "/app/manage.py", line 30, in <\module>
execute_from_command_line(sys.argv)
...
File "/usr/local/lib/python3.6/site-packages/collectfast/management/commands/collectstatic.py", line 111, in copy_file
self.do_copy_file(args)
File "/usr/local/lib/python3.6/site-packages/collectfast/management/commands/collectstatic.py", line 100, in do_copy_file
path, prefixed_path, source_storage)
File "/usr/local/lib/python3.6/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 354, in copy_file
self.storage.save(prefixed_path, source_file)
File "/usr/local/lib/python3.6/site-packages/django/core/files/storage.py", line 49, in save
return self._save(name, content)
File "/usr/local/lib/python3.6/site-packages/django/core/files/storage.py", line 236, in _save
os.makedirs(directory)
File "/usr/local/lib/python3.6/os.py", line 220, in makedirs
mkdir(name, mode)
PermissionError:
[Errno 13] Permission denied: '/app/static/sass'

我在主机内部尝试了 chown -R systemd-timesync:root static,预先在主机内部以 root 身份创建了 ./static 文件夹,并将 RUN mkdir /app/static && chown -R django /app/static 添加到 Django 容器的 Dockerfile(以容器的根用户身份执行)。

docker-compose.yml

version: '3'

volumes:
  production_postgres_data: {}
  production_postgres_data_backups: {}
  production_caddy: {}

services:
  django:
    build:
      context: .
      dockerfile: ./compose/production/django/Dockerfile
    volumes:
      - ./static:/app/static
    depends_on:
      - postgres
      - redis
    env_file:
      - ./.envs/.production/.django
      - ./.envs/.production/.postgres
    command: /start

  postgres:
    build:
      context: .
      dockerfile: ./compose/production/postgres/Dockerfile
    volumes:
      - production_postgres_data:/var/lib/postgresql/data
      - production_postgres_data_backups:/backups
    env_file:
      - ./.envs/.production/.postgres

  caddy:
    build:
      context: .
      dockerfile: ./compose/production/caddy/Dockerfile
    depends_on:
      - django
    volumes:
      - production_caddy:/root/.caddy
      - ./static:/srv/static
    env_file:
      - ./.envs/.production/.caddy
    ports:
      - "0.0.0.0:80:80"
      - "0.0.0.0:443:443"

  redis:
    image: redis:3.2

django 容器 Dockerfile

FROM nickgryg/alpine-pandas

ENV PYTHONUNBUFFERED 1

RUN apk update \
  # psycopg2 dependencies
  && apk add --virtual build-deps gcc python3-dev musl-dev \
  && apk add postgresql-dev \
  # Pillow dependencies
  && apk add jpeg-dev zlib-dev freetype-dev lcms2-dev openjpeg-dev tiff-dev tk-dev tcl-dev \
  # CFFI dependencies
  && apk add libffi-dev py-cffi \
  # lxml dependencies
  && apk add libxml2-dev libxslt-dev

RUN addgroup -S django \
    && adduser -S -G django django

# Requirements are installed here to ensure they will be cached.
COPY ./requirements /requirements
RUN pip install --no-cache-dir -r /requirements/production.txt \
    && rm -rf /requirements

COPY ./compose/production/django/entrypoint /entrypoint
RUN sed -i 's/\r//' /entrypoint
RUN chmod +x /entrypoint
RUN chown django /entrypoint

COPY ./compose/production/django/start /start
RUN sed -i 's/\r//' /start
RUN chmod +x /start
RUN chown django /start

COPY . /app

RUN chown -R django /app

USER django

WORKDIR /app

ENTRYPOINT ["/entrypoint"]

django 容器启动脚本

#!/bin/sh

set -o errexit
set -o pipefail
set -o nounset

python /app/manage.py collectstatic --noinput
/usr/local/bin/gunicorn config.wsgi --bind 0.0.0.0:5000 --chdir=/app

我不希望我的容器以 root 身份执行,所以我正在寻找任何解决方案/想法。

除了以 root 执行 collectstatic 之外,终于找到了解决方法。 正如我所怀疑的,问题出在 docker 的权限中,我们应该授予 Docker 在 /static 文件夹中创建文件夹的权限,该文件夹由 django 中的 django 用户拥有 Docker 容器。我们可以做到这一点,知道 userId 在主机系统和容器之间是相同的,通过 运行ning

docker-compose run django id -u django

输出系统中django用户的userId。例如,uid100。然后 运行 (不确定 gid,但当 gid = uid + 1 时有效)

chown -R 100:101 /static

如果我们 运行 ls -lh,我们可以看到 static 文件夹归 systemd-network 所有,这是一个 Docker 用户映射到uid = 100

drwxr-xr-x  4 root            root            4.0K Sep 27 11:23 compose
drwxr-xr-x  3 root            root            4.0K Nov 27 12:09 config
drwxr-xr-x  3 root            root            4.0K Nov 14 02:04 docs
drwxr-xr-x  2 root            root            4.0K Sep 27 11:23 locale
-rwxr-xr-x  1 root            root            1.1K Sep 27 12:56 manage.py
...
drwxr-xr-x 11 systemd-network systemd-journal 4.0K Nov 21 22:15 static
drwxr-xr-x  2 root            root            4.0K Nov 27 13:37 utils

应该可以解决问题。请注意,重建 django 的容器 uid 后,用户可能会发生变化,并且错误会再次出现,因此您必须重复此操作。

欢迎大家对Docker的工作原理多了解一点,解释一下这里发生了什么,我会采纳他的回答。