如何从容器中列出 Docker 已安装的卷
How to list Docker mounted volumes from within the container
我想列出所有已装载卷的容器目录。
即能够获得我从
获得的类似信息
docker inspect --format "{{ .Volumes }}" <self>
但是在容器内并且没有在其中安装 docker
。
我尝试了 cat /proc/mounts
,但找不到合适的过滤器。
正如您从许多评论中所读到的那样,容器最初只是受限的、保留的资源部分,完全与计算机的其余部分分离。它不知道自己是 Docker,并且在容器内部,一切都表现得好像它是一台单独的机器。我猜有点像矩阵 ;)
您可以访问主机的内核及其资源,但又一次被限制为过滤掉的集合。这是通过 Unix/Linux 内核附带的令人敬畏的 "cgroups" 功能完成的。
好消息:您可以通过多种方式向您的 Docker 提供信息,但这是您必须自己提供和构建的东西。
最简单和最强大的方法是将位于 /var/run/docker.sock
的主机上的 Unix 套接字挂载到同一位置的容器内部。这样,当您在容器内使用 Docker 客户端时,您将直接与主机上的 docker 引擎对话。
然而,能力越大,责任越大。这是一个不错的设置,但不是很安全。一旦有人设法进入您的 docker,它就可以通过这种方式对您的主机系统进行 root 访问。
更好的方法是通过环境设置提供坐骑列表,或者坚持一些虚构的约定以便能够预测坐骑。
(你知道有一个用于挂载的参数,在你的 Docker 中给挂载一个别名吗?)
(编辑 - 这可能不再适用于 Mac)如果您的 Docker 主机是 OS X,安装的卷将是 osxfs 类型(或fuse.osxfs)。你可以运行一个
mount | grep osxfs | awk '{print }'
并获取所有已安装卷的列表。
如果您的 Docker 主机是 Linux(至少 Ubuntu 14+,也许其他人),卷似乎都在 /dev
,但不是容器 /dev
文件系统中的设备。这些卷将与 /etc/resolv.conf
、/etc/hostname
和 /etc/hosts
并排。如果您执行 mount | grep ^/dev
开始,然后过滤掉 ls /dev/*
中的任何文件,然后过滤掉上面列出的三个文件,您应该只剩下主机卷。
mount | grep ^/dev/ | grep -v /etc | awk '{print }'
我猜具体情况可能从 Linux 到 Linux 不等。不理想,但至少可以弄清楚。
docker exec
命令可能就是您要找的。
这将允许您在现有容器中 运行 任意命令。
例如:
docker exec -it <mycontainer> bash
当然,无论你是什么命令运行ning 都必须存在于容器文件系统中。
#docker cp >>>> Copy files/folders between a container and the local filesystem
docker cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH
docker cp [OPTIONS] SRC_PATH CONTAINER:DEST_PATH
复制整个文件夹:
docker cp ./src/build b081dbbb679b:/usr/share/nginx/html
注意 – 这将复制容器的构建目录…/nginx/html/ 目录以仅复制文件夹中存在的文件:
docker cp ./src/build/ b081dbbb679b:/usr/share/nginx/html
注意 – 这将复制容器 …./nginx/html/ directory
中构建目录的内容
Docker 存储选项:
Volumes are stored in a part of the host filesystem which is managed by Docker(/var/lib/docker/volumes/ on Linux). Non-Docker processes should not modify this part of the filesystem. Volumes are the best way to persist data in Docker.
When you create a volume, it is stored within a directory on the Docker host. When you mount the volume into a container, this directory is what is mounted into the container. This is similar to the way that bind mounts work, except that volumes are managed by Docker and are isolated from the core functionality of the host machine.
A given volume can be mounted into multiple containers simultaneously. When no running container is using a volume, the volume is still available to Docker and is not removed automatically. You can remove unused volumes using docker volume prune.
When you mount a volume, it may be named or anonymous. Anonymous volumes are not given an explicit name when they are first mounted into a container, so Docker gives them a random name that is guaranteed to be unique within a given Docker host. Besides the name, named and anonymous volumes behave in the same ways.
Volumes also support the use of volume drivers, which allow you to store your data on remote hosts or cloud providers, among other possibilities.
Bind mounts may be stored anywhere on the host system. They may even be important system files or directories. Non-Docker processes on the Docker host or a Docker container can modify them at any time.
Available since the early days of Docker. Bind mounts have limited functionality compared to volumes. When you use a bind mount, a file or directory on the host machine is mounted into a container. The file or directory is referenced by its full path on the host machine. The file or directory does not need to exist on the Docker host already. It is created on demand if it does not yet exist. Bind mounts are very performant, but they rely on the host machine’s filesystem having a specific directory structure available. If you are developing new Docker applications, consider using named volumes instead. You can’t use Docker CLI commands to directly manage bind mounts.
One side effect of using bind mounts, for better or for worse, is that you can change the host filesystem via processes running in a container, including creating, modifying, or deleting important system files or directories. This is a powerful ability which can have security implications, including impacting non-Docker processes on the host system.
tmpfs mounts are stored in the host system’s memory only, and are never written to the host system’s filesystem.
A tmpfs mount is not persisted on disk, either on the Docker host or within a container. It can be used by a container during the lifetime of the container, to store non-persistent state or sensitive information. For instance, internally, swarm services use tmpfs mounts to mount secrets into a service’s containers.
If you need to specify volume driver options, you must use --mount.
-v or --volume: Consists of three fields, separated by colon characters (:). The fields must be in the correct order, and the meaning of each field is not immediately obvious.
o In the case of named volumes, the first field is the name of the volume, and is unique on a given host machine. For anonymous volumes, the first field is omitted.
o The second field is the path where the file or directory will be mounted in the container.
o The third field is optional, and is a comma-separated list of options, such as ro. These options are discussed below.
• --mount: Consists of multiple key-value pairs, separated by commas and each consisting of a = tuple. The --mount syntax is more verbose than -v or --volume, but the order of the keys is not significant, and the value of the flag is easier to understand.
o The type of the mount, which can be bind, volume, or tmpfs. This topic discusses volumes, so the type will always be volume.
o The source of the mount. For named volumes, this is the name of the volume. For anonymous volumes, this field is omitted. May be specified as source or src.
o The destination takes as its value the path where the file or directory will be mounted in the container. May be specified as destination, dst, or target.
o The readonly option, if present, causes the bind mount to be mounted into the container as read-only.
o The volume-opt option, which can be specified more than once, takes a key-value pair consisting of the option name and its value.
假设您想检查从基于linux 的容器 中安装了哪些卷,您可以在[=15= 中查找以“/dev”开头的条目], 删除 /etc 条目
$ grep "^/dev" /etc/mtab | grep -v " \/etc/"
/dev/nvme0n1p1 /var/www/site1 ext4 rw,relatime,discard,data=ordered 0 0
/dev/nvme0n1p1 /var/www/site2 ext4 rw,relatime,discard,data=ordered 0 0
我想列出所有已装载卷的容器目录。
即能够获得我从
获得的类似信息docker inspect --format "{{ .Volumes }}" <self>
但是在容器内并且没有在其中安装 docker
。
我尝试了 cat /proc/mounts
,但找不到合适的过滤器。
正如您从许多评论中所读到的那样,容器最初只是受限的、保留的资源部分,完全与计算机的其余部分分离。它不知道自己是 Docker,并且在容器内部,一切都表现得好像它是一台单独的机器。我猜有点像矩阵 ;)
您可以访问主机的内核及其资源,但又一次被限制为过滤掉的集合。这是通过 Unix/Linux 内核附带的令人敬畏的 "cgroups" 功能完成的。
好消息:您可以通过多种方式向您的 Docker 提供信息,但这是您必须自己提供和构建的东西。
最简单和最强大的方法是将位于 /var/run/docker.sock
的主机上的 Unix 套接字挂载到同一位置的容器内部。这样,当您在容器内使用 Docker 客户端时,您将直接与主机上的 docker 引擎对话。
然而,能力越大,责任越大。这是一个不错的设置,但不是很安全。一旦有人设法进入您的 docker,它就可以通过这种方式对您的主机系统进行 root 访问。
更好的方法是通过环境设置提供坐骑列表,或者坚持一些虚构的约定以便能够预测坐骑。
(你知道有一个用于挂载的参数,在你的 Docker 中给挂载一个别名吗?)
(编辑 - 这可能不再适用于 Mac)如果您的 Docker 主机是 OS X,安装的卷将是 osxfs 类型(或fuse.osxfs)。你可以运行一个
mount | grep osxfs | awk '{print }'
并获取所有已安装卷的列表。
如果您的 Docker 主机是 Linux(至少 Ubuntu 14+,也许其他人),卷似乎都在 /dev
,但不是容器 /dev
文件系统中的设备。这些卷将与 /etc/resolv.conf
、/etc/hostname
和 /etc/hosts
并排。如果您执行 mount | grep ^/dev
开始,然后过滤掉 ls /dev/*
中的任何文件,然后过滤掉上面列出的三个文件,您应该只剩下主机卷。
mount | grep ^/dev/ | grep -v /etc | awk '{print }'
我猜具体情况可能从 Linux 到 Linux 不等。不理想,但至少可以弄清楚。
docker exec
命令可能就是您要找的。
这将允许您在现有容器中 运行 任意命令。
例如:
docker exec -it <mycontainer> bash
当然,无论你是什么命令运行ning 都必须存在于容器文件系统中。
#docker cp >>>> Copy files/folders between a container and the local filesystem
docker cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH
docker cp [OPTIONS] SRC_PATH CONTAINER:DEST_PATH
复制整个文件夹:
docker cp ./src/build b081dbbb679b:/usr/share/nginx/html
注意 – 这将复制容器的构建目录…/nginx/html/ 目录以仅复制文件夹中存在的文件:
docker cp ./src/build/ b081dbbb679b:/usr/share/nginx/html
注意 – 这将复制容器 …./nginx/html/ directory
Docker 存储选项:
Volumes are stored in a part of the host filesystem which is managed by Docker(/var/lib/docker/volumes/ on Linux). Non-Docker processes should not modify this part of the filesystem. Volumes are the best way to persist data in Docker.
When you create a volume, it is stored within a directory on the Docker host. When you mount the volume into a container, this directory is what is mounted into the container. This is similar to the way that bind mounts work, except that volumes are managed by Docker and are isolated from the core functionality of the host machine.
A given volume can be mounted into multiple containers simultaneously. When no running container is using a volume, the volume is still available to Docker and is not removed automatically. You can remove unused volumes using docker volume prune.
When you mount a volume, it may be named or anonymous. Anonymous volumes are not given an explicit name when they are first mounted into a container, so Docker gives them a random name that is guaranteed to be unique within a given Docker host. Besides the name, named and anonymous volumes behave in the same ways.
Volumes also support the use of volume drivers, which allow you to store your data on remote hosts or cloud providers, among other possibilities.
Bind mounts may be stored anywhere on the host system. They may even be important system files or directories. Non-Docker processes on the Docker host or a Docker container can modify them at any time. Available since the early days of Docker. Bind mounts have limited functionality compared to volumes. When you use a bind mount, a file or directory on the host machine is mounted into a container. The file or directory is referenced by its full path on the host machine. The file or directory does not need to exist on the Docker host already. It is created on demand if it does not yet exist. Bind mounts are very performant, but they rely on the host machine’s filesystem having a specific directory structure available. If you are developing new Docker applications, consider using named volumes instead. You can’t use Docker CLI commands to directly manage bind mounts.
One side effect of using bind mounts, for better or for worse, is that you can change the host filesystem via processes running in a container, including creating, modifying, or deleting important system files or directories. This is a powerful ability which can have security implications, including impacting non-Docker processes on the host system.
tmpfs mounts are stored in the host system’s memory only, and are never written to the host system’s filesystem.
A tmpfs mount is not persisted on disk, either on the Docker host or within a container. It can be used by a container during the lifetime of the container, to store non-persistent state or sensitive information. For instance, internally, swarm services use tmpfs mounts to mount secrets into a service’s containers.
If you need to specify volume driver options, you must use --mount. -v or --volume: Consists of three fields, separated by colon characters (:). The fields must be in the correct order, and the meaning of each field is not immediately obvious. o In the case of named volumes, the first field is the name of the volume, and is unique on a given host machine. For anonymous volumes, the first field is omitted. o The second field is the path where the file or directory will be mounted in the container. o The third field is optional, and is a comma-separated list of options, such as ro. These options are discussed below. • --mount: Consists of multiple key-value pairs, separated by commas and each consisting of a = tuple. The --mount syntax is more verbose than -v or --volume, but the order of the keys is not significant, and the value of the flag is easier to understand. o The type of the mount, which can be bind, volume, or tmpfs. This topic discusses volumes, so the type will always be volume. o The source of the mount. For named volumes, this is the name of the volume. For anonymous volumes, this field is omitted. May be specified as source or src. o The destination takes as its value the path where the file or directory will be mounted in the container. May be specified as destination, dst, or target. o The readonly option, if present, causes the bind mount to be mounted into the container as read-only. o The volume-opt option, which can be specified more than once, takes a key-value pair consisting of the option name and its value.
假设您想检查从基于linux 的容器 中安装了哪些卷,您可以在[=15= 中查找以“/dev”开头的条目], 删除 /etc 条目
$ grep "^/dev" /etc/mtab | grep -v " \/etc/"
/dev/nvme0n1p1 /var/www/site1 ext4 rw,relatime,discard,data=ordered 0 0
/dev/nvme0n1p1 /var/www/site2 ext4 rw,relatime,discard,data=ordered 0 0