1. ホーム
  2. ドッカー

Docker mount host directory Docker access Permission denied 解決策

2022-03-03 20:09:22
<パス

Dockerがホストディレクトリをマウントし、対応するファイルにアクセスすると、Premission denied access issueが発生します。

[root@localhost soft]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos 7.2.1511 686672a1d0cc 5 weeks ago  
// Mount the /soft directory on the host to docker's /soft directory, the first one is the host directory and the second one is docker's directory. 
docker run -i -t -v /soft:/soft 686672a1d0cc /bin/bash

マウント後、対応するファイルを表示すると、以下のようなプロンプトが表示されます。

[root@ba471da26d07 soft]# ls
ls: cannot access jdk-8u102-linux-x64.tar.gz: Permission denied
hadoop-2.7.2.tar.gz jdk-8u102-linux-x64.tar.gz
   Cause of the problem and solution
   The reason is that the security module selinux in CentOS7 has disabled the privileges. There are at least three ways to solve the problem of the mounted directory not having privileges.
   1. When running the container, add privileges to the container, and add the --privileged=true parameter
   docker run -i -t -v /soft:/soft --privileged=true 686672a1d0cc /bin/bash
   2. Temporarily disable selinux: setenforce 0
   setenforce 0
   3. Add a selinux rule to change the security text of the directory to be mounted

# Change the security text in the following format
chcon [-R] [-t type] [-u user] [-r role] file or directory

Select no parameters. 
-R: change the subdirectory with the directory. 
-t: followed by the type field of the security document! For example, httpd_sys_content_t. 
-u: followed by the identity, e.g. system_u 
-r: followed by the street spy color, e.g. system_r

[root@localhost Desktop]# chcon --help
Usage: chcon [OPTION]... CONTEXT FILE...
  or: chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE... or: chcon [OPTION]...
  or: chcon [OPTION]... --reference=RFILE FILE...
Change the SELinux security context of each FILE to CONTEXT.
With --reference, change the security context of each FILE to that of RFILE.

Mandatory arguments to long options are mandatory for short options too.
      --dereference affects the referent of each symbolic link (this is
                         --dereference affects the referent of each symbolic link (this is the default), rather than the symbolic link itself
  -h, --no-dereference affect symbolic links instead of any referenced file
  --u, --user=USER set user USER in the target security context
  -r, --role=ROLE set role ROLE in the target security context
  -t, --type=TYPE set type TYPE in the target security context
  -l, --range=RANGE set range RANGE in the target security context
      --no-preserve-root do not treat '/' specially (the default)
      --preserve-root fail to operate recursively on '/'
      --reference=RFILE use RFILE's security context rather than specifying
                         a CONTEXT value
  -R, --recursive operate on files and directories recursively
  --v, --verbose output a diagnostic for every file processed

The following options modify how a hierarchy is traversed when the -R
If more than one is specified, only the final
one takes effect.

  -H if a command line argument is a symbolic link
                         to a directory, traverse it
  -L traverse every symbolic link to a directory
                         encountered
  -P do not traverse any symbolic links (default)

      --help display this help and exit
      --version output version information and exit

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'chcon invocation'


[root@localhost Desktop]# chcon -Rt svirt_sandbox_file_t /soft

[root@ba471da26d07 soft]# ll
total 384264
-rw-r--r--. 1 root root 212046774 Aug 8 10:01 hadoop-2.7.2.tar.gz
-rw-r--r--. 1 root root 181435897 Aug 8 09:23 jdk-8u102-linux-x64.tar.gz


# Change the security text in the following format
chcon [-R] [-t type] [-u user] [-r role] file or directory

Select no parameters. 
-R: change the subdirectory with the directory. 
-t: followed by the type field of the security document! For example, httpd_sys_content_t. 
-u: followed by the identity, e.g. system_u 
-r: followed by the street spy color, e.g. system_r

[root@localhost Desktop]# chcon --help
Usage: chcon [OPTION]... CONTEXT FILE...
  or: chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE... or: chcon [OPTION]...
  or: chcon [OPTION]... --reference=RFILE FILE...
Change the SELinux security context of each FILE to CONTEXT.
With --reference, change the security context of each FILE to that of RFILE.

Mandatory arguments to long options are mandatory for short options too.
      --dereference affects the referent of each symbolic link (this is
                         --dereference affects the referent of each symbolic link (this is the default), rather than the symbolic link itself
  -h, --no-dereference affect symbolic links instead of any referenced file
  --u, --user=USER set user USER in the target security context
  -r, --role=ROLE set role ROLE in the target security context
  -t, --type=TYPE set type TYPE in the target security context
  -l, --range=RANGE set range RANGE in the target security context
      --no-preserve-root do not treat '/' specially (the default)
      --preserve-root fail to operate recursively on '/'
      --reference=RFILE use RFILE's security context rather than specifying
                         a CONTEXT value
  -R, --recursive operate on files and directories recursively
  --v, --verbose output a diagnostic for every file processed

The following options modify how a hierarchy is traversed when the -R
If more than one is specified, only the final
one takes effect.

  -H if a command line argument is a symbolic link
                         to a directory, traverse it
  -L traverse every symbolic link to a directory
                         encountered
  -P do not traverse any symbolic links (default)

      --help display this help and exit
      --version output version information and exit

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'chcon invocation'


ホストの/softディレクトリのセキュリティドキュメントを修正します。

[root@localhost Desktop]# chcon -Rt svirt_sandbox_file_t /soft

[root@ba471da26d07 soft]# ll
total 384264
-rw-r--r--. 1 root root 212046774 Aug 8 10:01 hadoop-2.7.2.tar.gz
-rw-r--r--. 1 root root 181435897 Aug 8 09:23 jdk-8u102-linux-x64.tar.gz


dockerでは、そのディレクトリの関連リソースに普通にアクセスできます。

以下のリンクもご参照ください。
https://yq.aliyun.com/articles/53990