Docker mount host directory Docker access Permission denied 解決策
2022-03-03 20:09:22
Dockerがホストディレクトリをマウントし、対応するファイルにアクセスすると、Premission denied access issueが発生します。
[root@localhost soft]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos 7.2.1511 686672a1d0cc 5 weeks ago
// Mount the /soft directory on the host to docker's /soft directory, the first one is the host directory and the second one is docker's directory.
docker run -i -t -v /soft:/soft 686672a1d0cc /bin/bash
マウント後、対応するファイルを表示すると、以下のようなプロンプトが表示されます。
[root@ba471da26d07 soft]# ls
ls: cannot access jdk-8u102-linux-x64.tar.gz: Permission denied
hadoop-2.7.2.tar.gz jdk-8u102-linux-x64.tar.gz
Cause of the problem and solution
The reason is that the security module selinux in CentOS7 has disabled the privileges. There are at least three ways to solve the problem of the mounted directory not having privileges.
1. When running the container, add privileges to the container, and add the --privileged=true parameter
docker run -i -t -v /soft:/soft --privileged=true 686672a1d0cc /bin/bash
2. Temporarily disable selinux: setenforce 0
setenforce 0
3. Add a selinux rule to change the security text of the directory to be mounted
# Change the security text in the following format
chcon [-R] [-t type] [-u user] [-r role] file or directory
Select no parameters.
-R: change the subdirectory with the directory.
-t: followed by the type field of the security document! For example, httpd_sys_content_t.
-u: followed by the identity, e.g. system_u
-r: followed by the street spy color, e.g. system_r
[root@localhost Desktop]# chcon --help
Usage: chcon [OPTION]... CONTEXT FILE...
or: chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE... or: chcon [OPTION]...
or: chcon [OPTION]... --reference=RFILE FILE...
Change the SELinux security context of each FILE to CONTEXT.
With --reference, change the security context of each FILE to that of RFILE.
Mandatory arguments to long options are mandatory for short options too.
--dereference affects the referent of each symbolic link (this is
--dereference affects the referent of each symbolic link (this is the default), rather than the symbolic link itself
-h, --no-dereference affect symbolic links instead of any referenced file
--u, --user=USER set user USER in the target security context
-r, --role=ROLE set role ROLE in the target security context
-t, --type=TYPE set type TYPE in the target security context
-l, --range=RANGE set range RANGE in the target security context
--no-preserve-root do not treat '/' specially (the default)
--preserve-root fail to operate recursively on '/'
--reference=RFILE use RFILE's security context rather than specifying
a CONTEXT value
-R, --recursive operate on files and directories recursively
--v, --verbose output a diagnostic for every file processed
The following options modify how a hierarchy is traversed when the -R
If more than one is specified, only the final
one takes effect.
-H if a command line argument is a symbolic link
to a directory, traverse it
-L traverse every symbolic link to a directory
encountered
-P do not traverse any symbolic links (default)
--help display this help and exit
--version output version information and exit
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'chcon invocation'
[root@localhost Desktop]# chcon -Rt svirt_sandbox_file_t /soft
[root@ba471da26d07 soft]# ll
total 384264
-rw-r--r--. 1 root root 212046774 Aug 8 10:01 hadoop-2.7.2.tar.gz
-rw-r--r--. 1 root root 181435897 Aug 8 09:23 jdk-8u102-linux-x64.tar.gz
# Change the security text in the following format
chcon [-R] [-t type] [-u user] [-r role] file or directory
Select no parameters.
-R: change the subdirectory with the directory.
-t: followed by the type field of the security document! For example, httpd_sys_content_t.
-u: followed by the identity, e.g. system_u
-r: followed by the street spy color, e.g. system_r
[root@localhost Desktop]# chcon --help
Usage: chcon [OPTION]... CONTEXT FILE...
or: chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE... or: chcon [OPTION]...
or: chcon [OPTION]... --reference=RFILE FILE...
Change the SELinux security context of each FILE to CONTEXT.
With --reference, change the security context of each FILE to that of RFILE.
Mandatory arguments to long options are mandatory for short options too.
--dereference affects the referent of each symbolic link (this is
--dereference affects the referent of each symbolic link (this is the default), rather than the symbolic link itself
-h, --no-dereference affect symbolic links instead of any referenced file
--u, --user=USER set user USER in the target security context
-r, --role=ROLE set role ROLE in the target security context
-t, --type=TYPE set type TYPE in the target security context
-l, --range=RANGE set range RANGE in the target security context
--no-preserve-root do not treat '/' specially (the default)
--preserve-root fail to operate recursively on '/'
--reference=RFILE use RFILE's security context rather than specifying
a CONTEXT value
-R, --recursive operate on files and directories recursively
--v, --verbose output a diagnostic for every file processed
The following options modify how a hierarchy is traversed when the -R
If more than one is specified, only the final
one takes effect.
-H if a command line argument is a symbolic link
to a directory, traverse it
-L traverse every symbolic link to a directory
encountered
-P do not traverse any symbolic links (default)
--help display this help and exit
--version output version information and exit
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'chcon invocation'
ホストの/softディレクトリのセキュリティドキュメントを修正します。
[root@localhost Desktop]# chcon -Rt svirt_sandbox_file_t /soft
[root@ba471da26d07 soft]# ll
total 384264
-rw-r--r--. 1 root root 212046774 Aug 8 10:01 hadoop-2.7.2.tar.gz
-rw-r--r--. 1 root root 181435897 Aug 8 09:23 jdk-8u102-linux-x64.tar.gz
dockerでは、そのディレクトリの関連リソースに普通にアクセスできます。
以下のリンクもご参照ください。
https://yq.aliyun.com/articles/53990
最新
-
nginxです。[emerg] 0.0.0.0:80 への bind() に失敗しました (98: アドレスは既に使用中です)
-
htmlページでギリシャ文字を使うには
-
ピュアhtml+cssでの要素読み込み効果
-
純粋なhtml + cssで五輪を実現するサンプルコード
-
ナビゲーションバー・ドロップダウンメニューのHTML+CSSサンプルコード
-
タイピング効果を実現するピュアhtml+css
-
htmlの選択ボックスのプレースホルダー作成に関する質問
-
html css3 伸縮しない 画像表示効果
-
トップナビゲーションバーメニュー作成用HTML+CSS
-
html+css 実装 サイバーパンク風ボタン
おすすめ
-
ハートビート・エフェクトのためのHTML+CSS
-
HTML ホテル フォームによるフィルタリング
-
HTML+cssのボックスモデル例(円、半円など)「border-radius」使いやすい
-
HTMLテーブルのテーブル分割とマージ(colspan, rowspan)
-
ランダム・ネームドロッパーを実装するためのhtmlサンプルコード
-
Html階層型ボックスシャドウ効果サンプルコード
-
QQの一時的なダイアログボックスをポップアップし、友人を追加せずにオンラインで話す効果を達成する方法
-
sublime / vscodeショートカットHTMLコード生成の実装
-
HTMLページを縮小した後にスクロールバーを表示するサンプルコード
-
html のリストボックス、テキストフィールド、ファイルフィールドのコード例