搬家 docker 后容器中的权限被拒绝
permission denied in containers after moving docker home
最初 docker 文件系统位于 /var/lib/docker
一切正常,但由于某些 space 限制,我们不得不
移动到 /Proj/docker & docker 服务是 运行.
Active: active (running) since Thu 2019-03-28 09:36:59 UTC; 22h ago
Docs: https://docs.docker.com
Main PID: 27007 (dockerd)
Tasks: 27
Memory: 726.5M
CGroup: /system.slice/docker.service
└─27007 /usr/bin/dockerd --selinux-enabled -g /Proj/docker
但在那之后,我的权限被拒绝了
[user@host]# sudo docker run -it oraclelinux:7-slim bash
bash-4.2# ls
ls: cannot open directory : Permission denied
**unless I am running with privilage flag set to true**
[user@host]# sudo docker run -it --privileged=true oraclelinux:7-slim bash
bash-4.2# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
Can you please help to resolve this
please find additional info
[user@host ~]$ systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/docker.service.d
└─docker-sysconfig.conf, https-proxy.conf
Active: active (running) since Thu 2019-03-28 09:36:59 UTC; 1 day 2h ago
Docs: https://docs.docker.com
Main PID: 27007 (dockerd)
Tasks: 27
Memory: 726.9M
CGroup: /system.slice/docker.service
└─27007 /usr/bin/dockerd --selinux-enabled -g /Proj/docker
[user@host ~]$ cat /etc/systemd/system/docker.service.d/docker-sysconfig.conf
[Service]
ExecStart=
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
ExecStart=/usr/bin/dockerd \
$OPTIONS \
$DOCKER_STORAGE_OPTIONS \
$DOCKER_NETWORK_OPTIONS \
$INSECURE_REGISTRY \
-g /Proj/docker
[user@host ~]$ cat /etc/systemd/system/docker.service.d/https-proxy.conf
[Service]
Environment="HTTPS_PROXY=http://proxyip:port"
[user@host~]# ls -lrth /Proj/docker
total 56K
drwx------. 4 root root 4.0K Mar 22 07:42 plugins
drwx------. 3 root root 4.0K Mar 22 07:42 image
drwx------. 2 root root 4.0K Mar 22 07:42 volumes
drwx------. 2 root root 4.0K Mar 22 07:42 trust
drwxr-x---. 3 root root 4.0K Mar 22 07:42 network
drwx------. 2 root root 4.0K Mar 22 07:42 swarm
drwx------. 2 root root 4.0K Mar 22 07:42 builder
drwx------. 4 root root 4.0K Mar 22 07:42 buildkit
drwx------. 2 root root 4.0K Mar 28 09:36 runtimes
drwx------. 2 root root 4.0K Mar 28 13:02 tmp
drwx------. 33 root root 12K Mar 29 07:45 overlay2
drwx------. 6 root root 4.0K Mar 29 07:45 containers
我们也确实更改了 docker 图,所以我们所做的是在 RedHat 7.6 上的以下内容:
- 停止dockerd
- 将所有内容从 /var/lib/docker 移动到 /Docker/Storage
- 更改 /etc/docker/daemon 上的配置。json:
{
"graph":"/Docker/Storage"
}
- 并且:
/usr/lib/systemd/system/docker.服务:
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd://
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
- 然后systemctl daemon-reload
- 终于 systemctl 启动 dockerd
希望对您有所帮助
正如您在评论中指出的那样,当 SELinux 规则最终创建具有错误权限的容器文件夹(在您的情况下会在 /Proj/docker/containers 中)时,就会发生这种情况。
按照 this answer 中概述的建议,解决方法可能是 运行
chcon -Rt svirt_sandbox_file_t /Proj/docker
- 进行复制时,请使用“-p”选项以保留属性。这解决了我这边的问题。
- 确保您的目标分区没有设置“nosuid”选项。检查 /etc/fstab。否则,您会遇到其他权限问题。 https://github.com/wodby/docker4drupal/issues/388
现在所有权限问题都已解决。
最初 docker 文件系统位于 /var/lib/docker 一切正常,但由于某些 space 限制,我们不得不 移动到 /Proj/docker & docker 服务是 运行.
Active: active (running) since Thu 2019-03-28 09:36:59 UTC; 22h ago
Docs: https://docs.docker.com
Main PID: 27007 (dockerd)
Tasks: 27
Memory: 726.5M
CGroup: /system.slice/docker.service
└─27007 /usr/bin/dockerd --selinux-enabled -g /Proj/docker
但在那之后,我的权限被拒绝了
[user@host]# sudo docker run -it oraclelinux:7-slim bash
bash-4.2# ls
ls: cannot open directory : Permission denied
**unless I am running with privilage flag set to true**
[user@host]# sudo docker run -it --privileged=true oraclelinux:7-slim bash
bash-4.2# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
Can you please help to resolve this
please find additional info
[user@host ~]$ systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/docker.service.d
└─docker-sysconfig.conf, https-proxy.conf
Active: active (running) since Thu 2019-03-28 09:36:59 UTC; 1 day 2h ago
Docs: https://docs.docker.com
Main PID: 27007 (dockerd)
Tasks: 27
Memory: 726.9M
CGroup: /system.slice/docker.service
└─27007 /usr/bin/dockerd --selinux-enabled -g /Proj/docker
[user@host ~]$ cat /etc/systemd/system/docker.service.d/docker-sysconfig.conf
[Service]
ExecStart=
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
ExecStart=/usr/bin/dockerd \
$OPTIONS \
$DOCKER_STORAGE_OPTIONS \
$DOCKER_NETWORK_OPTIONS \
$INSECURE_REGISTRY \
-g /Proj/docker
[user@host ~]$ cat /etc/systemd/system/docker.service.d/https-proxy.conf
[Service]
Environment="HTTPS_PROXY=http://proxyip:port"
[user@host~]# ls -lrth /Proj/docker
total 56K
drwx------. 4 root root 4.0K Mar 22 07:42 plugins
drwx------. 3 root root 4.0K Mar 22 07:42 image
drwx------. 2 root root 4.0K Mar 22 07:42 volumes
drwx------. 2 root root 4.0K Mar 22 07:42 trust
drwxr-x---. 3 root root 4.0K Mar 22 07:42 network
drwx------. 2 root root 4.0K Mar 22 07:42 swarm
drwx------. 2 root root 4.0K Mar 22 07:42 builder
drwx------. 4 root root 4.0K Mar 22 07:42 buildkit
drwx------. 2 root root 4.0K Mar 28 09:36 runtimes
drwx------. 2 root root 4.0K Mar 28 13:02 tmp
drwx------. 33 root root 12K Mar 29 07:45 overlay2
drwx------. 6 root root 4.0K Mar 29 07:45 containers
我们也确实更改了 docker 图,所以我们所做的是在 RedHat 7.6 上的以下内容:
- 停止dockerd
- 将所有内容从 /var/lib/docker 移动到 /Docker/Storage
- 更改 /etc/docker/daemon 上的配置。json:
{
"graph":"/Docker/Storage"
}
- 并且:
/usr/lib/systemd/system/docker.服务:
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd://
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
- 然后systemctl daemon-reload
- 终于 systemctl 启动 dockerd
希望对您有所帮助
正如您在评论中指出的那样,当 SELinux 规则最终创建具有错误权限的容器文件夹(在您的情况下会在 /Proj/docker/containers 中)时,就会发生这种情况。
按照 this answer 中概述的建议,解决方法可能是 运行
chcon -Rt svirt_sandbox_file_t /Proj/docker
- 进行复制时,请使用“-p”选项以保留属性。这解决了我这边的问题。
- 确保您的目标分区没有设置“nosuid”选项。检查 /etc/fstab。否则,您会遇到其他权限问题。 https://github.com/wodby/docker4drupal/issues/388
现在所有权限问题都已解决。