ãŠãŒã¹ã±ãŒã¹ïŒApacheãwwwãŠãŒã¶ãŒãšããŠäœ¿çšããããã«ããã¹ãããã³ã³ãããŒã«ããªã¥ãŒã ãããŠã³ãããŸãã
åé¡ã¯ãçŸåšããã¹ãŠã®ããŠã³ããã³ã³ããå
ã®ã«ãŒããšããŠããŠã³ããããŠããããšã§ãã
ããšãã°ããã®ã³ãã³ã
docker run -v / tmpïŒ/ var / www ubuntu stat -c "ïŒ
UïŒ
G" / var / www
ãã«ãŒãã«ãŒãããåºåããŸã
ã³ã³ããå ã«ãŠãŒã¶ãŒwwwãšããŠããŠã³ãããå¿ èŠããããŸãã
ããªã¥ãŒã ããã€ã³ãããŠã³ãããåã«ïŒãã¹ãåŽã§ïŒ chown
ãåäœããŸãã
ãã®å Žåã次ã®ããšãã§ããŸãã
mkdir /tmp/www
chown 101:101 /tmp/www
docker run -v /tmp/www:/var/www ubuntu stat -c "%U %G" /var/www
ïŒ 101:101
ãã³ã³ãããŒå
ã®www-data
ãŠãŒã¶ãŒã®UIDïŒGIDã§ãããšæ³å®ããŸããïŒ
ãã1ã€ã®å¯èœæ§ã¯ãbind-mountãå®è¡ããŠãããã³ã³ãããŒå
ã§chown
ãå®è¡ããããšã§ãã
@mingfang chownã¯æ©èœããŸãããïŒ
ãã®ããã®ã·ã§ãŒãã«ããããããšäŸ¿å©ã§ãã ããªã¥ãŒã ã«ããŒããã·ã§ã³ãèšå®ããã ãã®run
ã¹ã¯ãªãããæžããŠããããšããããããŸãã
https://github.com/orchardup/docker-redis/blob/07b65befbd69d9118e6c089e8616d48fe76232fd/run
chown
ã®æš©å©ããªãå Žåã¯ã©ããªããŸããïŒ
ããªã¥ãŒã ãchown
ã®ãã«ããŒã¹ã¯ãªããã§ãã®åé¡ã解決ã§ããŸããïŒ ãã®ã¹ã¯ãªããã¯ãDockerfileã®ENTRYPOINT
ã«ããããšãã§ããŸãã
ããããšèšããŸããïŒãŠãŒã¶ãŒã«ãã«ããŒã¹ã¯ãªãããè¿œå ããããã«åŒ·å¶ããŸã
#!/bin/sh
chown -R redis:redis /var/lib/redis
exec sudo -u redis /usr/bin/redis-server
ïŒããªãã®äŸã@bfirshã«æè¬ããŸãïŒ
ããªãã²ã©ãã§ãã
ããã¯ãã³ã³ãããç®çã®redis
ãŠãŒã¶ãŒãšããŠå®è¡ããã®ã§ã¯ãªããrootãšããŠéå§ããå¿
èŠãããããšãæå³ããŸãã ïŒ @aldanorãã»ã®ããããŠããããã«ïŒ
ããã¯ããŠãŒã¶ãŒã次ã®ãããªããšãå®è¡ã§ããªãããšãæå³ããŸãã
docker run -v /home/user/.app_cfg/ -u user application_container application
:(
ãããæ©èœãããæ¹æ³ã¯1ã€ãããŸãããDockrfileå ã§äºåã«æºåããå¿ èŠããããŸãã
RUN mkdir -p /var/lib/redis ; chown -R redis:redis /var/lib/redis
VOLUME ["/var/lib/redis"]
ENTRYPOINT ["usr/bin/redis-server"]
USER redis
ïŒç§ã¯ãã®äŸããã¹ãããŸããã§ãããã¯ãã ã³ã³ããã§äœæ¥ããŠããŠãããã_separate_X11ã³ã³ããã«è¡šç€ºãããŸã....ïŒ
ãããŠãã¡ããããã®ã¡ãœããã¯çŽæ¥æ°ããããªã¥ãŒã ã«å¯ŸããŠã®ã¿æ©èœãããã€ã³ãã¯æ©èœããŸãã
ããŠã³ããŸãã¯ããªã¥ãŒã -ããªã¥ãŒã ããã ;ïŒ
ããã«ã volumes-from
ã䜿çšããè€æ°ã®ã³ã³ãããŒã¯ãåããŠãŒã¶ãŒã«å¯ŸããŠç°ãªãuid / gidãæã€ãããäœæ¥ãè€éã«ãªããŸãã
@ SvenDowideit @ tianonãã®ã¡ãœãããæ©èœããŸããã å®å šãªäŸïŒ
FROM ubuntu
RUN groupadd -r redis -g 433 && \
useradd -u 431 -r -g redis -d /app -s /sbin/nologin -c "Docker image user" redis
RUN mkdir -p /var/lib/redis
RUN echo "thing" > /var/lib/redis/thing.txt
RUN chown -R redis:redis /var/lib/redis
VOLUME ["/var/lib/redis"]
USER redis
CMD /bin/ls -lah /var/lib/redis
-vããªã¥ãŒã ãããå Žåãšãªãå Žåã®2åã®å®è¡ïŒ
bash-3.2$ docker run -v `pwd`:/var/lib/redis voltest
total 8.0K
drwxr-xr-x 1 root root 102 Aug 7 21:30 .
drwxr-xr-x 28 root root 4.0K Aug 7 21:26 ..
-rw-r--r-- 1 root root 312 Aug 7 21:30 Dockerfile
bash-3.2$ docker run voltest
total 12K
drwxr-xr-x 2 redis redis 4.0K Aug 7 21:30 .
drwxr-xr-x 28 root root 4.0K Aug 7 21:26 ..
-rw-r--r-- 1 redis redis 6 Aug 7 21:26 thing.txt
bash-3.2$
ããã§è§£æ±ºã§ããåé¡ã«çŽé¢ããŠããŸãïŒç§ã¯æããŸãïŒã éçºè
ã®ããŒã ãã£ã¬ã¯ããªçšã«NFSå
±æããããŸãã éçºè
ã¯/home/dev/git/project
ãDockerã«ããŠã³ããããã®ã§ãããã«ãŒãã¹ã«ãã·ã¥ãæå¹ã«ãªã£ãŠããããã§ããŸããã
ããã«ãããrootã/home/dev/git/project
ã«ã¢ã¯ã»ã¹ã§ããªããªããããDockerããŠã³ã/home/dev/git/project
ãå®è¡ããããšãããšã lstat permission denied
ãšã©ãŒãçºçããŸãã
@frankampããã¯ãdockerã®çŸåšã®èšå®ããDockerèªèº«ã®å¶åŸ¡ã®ç¯å²å€ã«ãããã¹ãã®ãã®ãå€æŽããªãããšã§ããããã§ãã
ãVOLUMEãã®å®çŸ©ã¯ã -v
pwd`ïŒ/ var / lib / reds`ã«ãã£ãŠäžæžããããŠããŸãã
ãã ãã2åç®ã®å®è¡ã§ã¯ã/ var / lib / dockerã«äœæãããDockerå¶åŸ¡ã®ããªã¥ãŒã ã䜿çšããŠããŸãã ã³ã³ãããŒãèµ·åãããšãdockerã¯ããŒã¿ãã€ã¡ãŒãžããããªã¥ãŒã ã«ã³ããŒããããªã¥ãŒã ãæå®ãããdirã®uidïŒgidã䜿çšããŠããªã¥ãŒã ãå€æŽããŸãã
ããã§ã§ããããšããããããããã©ããã¯ããããŸããããæ®å¿µãªããããã€ã³ãããŠã³ãã¯ïŒç§ãç¥ãéãïŒå¥ã®uid / gidãšããŠã®ããŠã³ãããµããŒãããŠããŸããã
ããã«å¯Ÿããç§ã®è§£æ±ºçã¯ãSvenDowideitãäžèšã§è¡ã£ãããšãå®è¡ããããšã§ããïŒæ°ãããŠãŒã¶ãŒãäœæããdockerfileã§åãã£ãŠchownããŸãïŒãããã¹ãããªã¥ãŒã ãããŠã³ããã代ããã«ãããŒã¿å°çšã³ã³ãããŒã䜿çšããããŠã³ãããããã¹ãããªã¥ãŒã ãã«ã³ããŒããŸãtar cf - . | docker run -i --volumes-from app_data app tar xvf - -C /data
ã®ã³ã³ããã https://github.com/docker/docker/pull/13171ãããŒãžããããšïŒãããŠdocker cp
ã¯äž¡æ¹ã®æ¹æ³ã§æ©èœããŸãïŒãããã¯å°ãç°¡åã«ãªããŸããããããã-v host_dir:container_dir
ã®ä»£ããã«ãªãå¯èœæ§ããããŸã-vc host_dir:container_dir
ïŒããªã¥ãŒã ã³ããŒã®å Žåã¯vcïŒã§ãhost_dirã®å
容ãããŒã¿ã³ã³ããã«ã³ããŒãããŸãã ã³ããŒããããã¡ã€ã«ãã³ã³ãããŠãŒã¶ãŒã®æš©éãç¶æ¿ããçç±/æ¹æ³ãç解ããŠãããšã¯èšããŸããããç§ãèšããããšãããããã¯ç§»æ€æ§ãæãªãããšã®ãªããç§ãæãã€ããå¯äžã®åççãªè§£æ±ºçã§ãã
aclã¯ã©ãã§ããïŒ
ä¿®æ£ãŸãã¯åé¿çã¯ãããŸããïŒ OpenShiftã§åãåé¡ãçºçããããŠã³ãããããã©ã«ããŒã¯rootïŒrootã«ãã£ãŠææãããäºåã«äœæãããã€ã¡ãŒãžã¯æ©èœããŸããã
ç§ãåé¿çãæ¢ããŠããŸãã ããŠã³ãããããã¹ãŠã®ããªã¥ãŒã ãroot
ã«ãã£ãŠææãããŠããå Žåã root
以å€ã®ãŠãŒã¶ãŒã§Dockerã³ã³ãããŒãå®è¡ããããšã¯ã§ããŸããã
ããŠãããªãã¯s6-overlayãè©Šãããšãã§ããŸãã ããã«ã¯ããããã®çš®é¡ã®åé¡ã®åé¿ãæ¯æŽããããšãç¹ã«ç®çãšããæ©èœãå«ãŸããŠããŸãã
@ dreamcat4 ïŒãã€ã³ã¿ãããããšãã æææš©ãšæš©éã®ä¿®æ£ã¯èå³æ·±ãåé¿çã®ããã«æããŸããããããæ©èœãããã«ã¯ãDockerã³ã³ãããrootãšããŠå®è¡ããå¿ èŠã¯ãããŸãããïŒ
@ brikis98ã¯ãããã¯æ¬åœã§ãã ãã ããs6-overlayã«ã¯ããã«å¥ã®æ©èœãããããµãŒããŒ/ããŒã¢ã³ãèµ·åãããšãã«ã¢ã¯ã»ã¹èš±å¯ãå床ããããã§ããŸãã
@ dreamcat4ããããã£ããããããšãã
ç§ã¯ã³ã³ããã®å åŽãšå€åŽã§åãuid / gidãæã£ãŠããããããç§ãåŸããã®ã§ãïŒ
nonroot$ ls -l .dotfiles/
ls: cannot access .dotfiles/byobu: Permission denied
ls: cannot access .dotfiles/config: Permission denied
ls: cannot access .dotfiles/docker: Permission denied
ls: cannot access .dotfiles/vim: Permission denied
ls: cannot access .dotfiles/bashrc: Permission denied
ls: cannot access .dotfiles/muse.yml: Permission denied
ls: cannot access .dotfiles/my.cnf: Permission denied
ls: cannot access .dotfiles/profile: Permission denied
total 0
-????????? ? ? ? ? ? bashrc
d????????? ? ? ? ? ? byobu
d????????? ? ? ? ? ? config
d????????? ? ? ? ? ? docker
-????????? ? ? ? ? ? muse.yml
-????????? ? ? ? ? ? my.cnf
-????????? ? ? ? ? ? profile
d????????? ? ? ? ? ? vim
nonroot$ ls -l .ssh
ls: cannot access .ssh/authorized_keys: Permission denied
total 0
-????????? ? ? ? ? ? authorized_keys
nonroot$
@darkermatterå¥ã®åé¡ãéããŠããã ããŸãããã
åé¡ã§ã¯ãããŸããããããã¯ããã§ã¯é¢ä¿ãããŸãããïŒ
@darkermatterããã¯æ©èœã®ãªã¯ãšã¹ãã§ããããã°ã¬ããŒãã§ã¯ãããŸãããã±ãŒã¹ãä»ã®ã±ãŒã¹ãšæ··åãããšããã£ã¹ã«ãã·ã§ã³ããã©ããŒããã®ãé£ãããªããŸãããŸããåé¡ãçŽæ¥é¢é£ããŠããªãå¯èœæ§ããããŸãã
@thaJeztahãããšã @ frankampãä»ã®äººãã¡ããã£ãããã«ãç§ã¯åã«Dockerfileå ã§chmodãªã©ãå®è¡ããåŸã«äœãèµ·ãããã瀺ããŠããŸããã ãã°ã¬ããŒããšããŠæåºããŸããããã®è°è«ã«é¢é£ããŠããŸãã
@ebuchmanãææ¡ãããã®ãšåæ§ã«ããã¹ãããªã¥ãŒã ãã³ããŒããã«ãæåã«ããŒã¿å°çšã³ã³ãããäœæã§ããŸãã
éå§æã«rootãšããŠchown 1000:1000 /volume-mount
ã
ããšãã°ãdocker composev2æ§æ
version: '2'
services:
my-beautiful-service:
...
depends_on:
- data-container
volumes_from:
- data-container
data-container:
image: same_base_OS_as_my-beautiful-service
volumes:
- /volume-mount
command: "chown 1000:1000 /volume-mount"
ãã®ããã«ããŠãã³ã³ãããroot以å€ã®ãŠãŒã¶ãŒãšããŠå®è¡ã§ããŸãã ããŒã¿å°çšã³ã³ããã¯1åã ãå®è¡ãããŸãã
my-beautiful-serviceã䜿çšããuidãšgidãäºåã«ç¥ã£ãŠãããšä»®å®ããŸãã éåžžã¯1000,1000ã§ãã
ïŒ1.11ã§ïŒ docker volume create
ã§äœ¿çšããããªã¥ãŒã ã®ããŠã³ããªãã·ã§ã³ãæå®ã§ããã®ã§ãããã¯éããæºåãã§ããŠããããã«æããŸãã
ãã€ã³ãããŠã³ãã§ã¯ãµããŒããããŠããªããããuid / gidãçŽæ¥æå®ããããšã¯ã§ããŸããããæ°ããããŠã³ãoptsã§äœ¿çšã§ããå€ãã®ãã¡ã€ã«ã·ã¹ãã ã¯uid / gidoptsã§åäœããŸãã
ã³ã³ããå ã«CIFSãã©ã€ããããŠã³ããããå Žåã§ããåé¡ã¯è§£æ±ºããªããšæããŸãããããã¯å¥ã®ãã±ããã§ããå¿ èŠããããŸããïŒ
@ michaeljs1990ããã¯ãã³ã³ãããŒããšã§ã¯ãªããå®è¡ã§ããŸãïŒå¿ èŠãªuid / gidã³ã³ãããšã«åå¥ã®ããªã¥ãŒã ãäœæããå Žåãé€ãïŒã
@ cpuguy83 ããã®åé¡ãåé¿ããããã«docker volume create
ãã©ã®ããã«äœ¿çšããå¿
èŠãããããæ確ã«ããŠããã ããŸããïŒ
ä»æ¥ãdocker 1.11ã§ãã®åé¡ãçºçããããŠã³ãããããã©ã€ãäžã®ãã¡ã€ã«ã«æžã蟌ããããã«dockerã€ã¡ãŒãžã説åŸããããã«èŠçãªå調æŽãè¡ãå¿ èŠããããŸããã ä»ã®äººã«èª¬æããããšããã®ã¯ãã¡ããã®ããšãäºåºŠãšãããããå¿ èŠããªããã°ãæ¬åœã«ããã§ãããã
ãããããªããæ±ããŠãããã®ãã©ããã¯ããããŸããã...
FROM busybox
RUN mkdir /hello && echo hello > /hello/world && chown -R 1000:1000 /hello
ããã¹ãããšããååã®ç»åã®äžã«ãã«ã
$ docker volume create --name hello
$ docker run -v hello:/hello test ls -lh /hello
äžèšã®äŸã®/hello
ãš/hello/world
ã¯ã©ã¡ããã1000ïŒ1000ãææããŸãã
ããã§ããã ããã§ãç§ã¯äŒŒããããªããšãããŸããããå°ãéãã®ã§ãå
±æãã䟡å€ããããããããŸããã åºæ¬çã«ãã³ã³ããå€ã®ãŠãŒã¶ãŒã®UIDãGIDããŠãŒã¶ãŒåãããã³ã°ã«ãŒããå
±æãããŠãŒã¶ãŒãDockerfileã«è¿œå ããŸããã ãã¹ãŠã®<...>
ã¯ãé¢é£ããå€ã«çœ®ãæãããããã®ã§ãã
FROM <some_image>
RUN groupadd -g <my_gid> <my_group> && \
useradd -u <my_uid> -g <my_gid> <my_user>
ãã®åŸã USER
ã䜿çšããããåŸã®æç¹ã§su
ã䜿çšããŠåãæ¿ããããšãã§ããŸãïŒããšãã°ããšã³ããªãã€ã³ãã¹ã¯ãªãããŸãã¯ã·ã§ã«ã䜿çšããå ŽåïŒã ããã«ãããäœæããã®ãšåããŠãŒã¶ãŒã§ãããããããŠã³ããããããªã¥ãŒã ã«æžã蟌ãããšãã§ããŸããã ããã«ãã³ã³ããå
ã§chown
ã䜿çšããŠãé¢é£ãããã®ã«å¯Ÿããæš©éãããããšã確èªã§ããŸãã ãŸãã sudo
ãã€ã³ã¹ããŒã«ããããšã¯ããããè¡ãå Žåã«ãäžè¬çã«è³¢æãªæ¹æ³ã§ãã
ããã¯åé¡ã解決ããŸãããããã¯ãã¹ãŠã®ãŠãŒã¶ãŒã®ããã«è¡ãå¿
èŠãããã®ã§ãç§ã¯ããã奜ããã©ããããããŸããã ãŸããç§ã¯ãã®ãããŒãã³ãŒãã£ã³ã°ããŸãããïŒããïŒïŒããã³ãã¬ãŒãã䜿çšããŠãããå°ãã¹ã ãŒãºã«ããããšãã§ããŸãã ãã®ã·ã ã¯ã©ããããããdocker run
ã«åžåãããã®ã ãããã ãããè¡ãããã®ããè¯ãæ¹æ³ããã§ã«ããå Žåãç§ã¯ãããäœã§ããããç¥ãããšã«éåžžã«èå³ããããŸãã
ãã¹ããŠãŒã¶ãŒã®uids / gidsãã³ã³ãããŒãŠãŒã¶ãŒã®uids / gidsã«--userns-remap
ã§ããããããªãã·ã§ã³ããããŸãã å人çã«ã¯è©ŠããŠããŸããã ãã®ãããã¯ã«é¢ããè¯ãè°è«ãåç
§ããŠãã ããhttp://stackoverflow.com/questions/35291520/docker-and-userns-remap-how-to-manage-volume-permissions-to-share-data-betwee ã
@ cpuguy83 ïŒ
ãã€ã³ãããŠã³ãã§ã¯ãµããŒããããŠããªããããuid / gidãçŽæ¥æå®ããããšã¯ã§ããŸããããæ°ããããŠã³ãoptsã§äœ¿çšã§ããå€ãã®ãã¡ã€ã«ã·ã¹ãã ã¯uid / gidoptsã§åäœããŸãã
uid / gidåŒæ°ãåãå ¥ããããšãã§ãããšèããŠãããã¡ã€ã«ã·ã¹ãã ã¯äœã§ããïŒ ç§ã¯FATãã§ããããšãç¥ã£ãŠããŸãããããã¯ãã®ã¹ã¬ããã§ææ¡ãããŠããä»ã®ãã®ãšåãããã«ããããŒãªæããããŸãã
IMOãDockerã«ã¯2ã€ã®ãªãã·ã§ã³ããããŸãã
USER
ãã£ã¬ã¯ãã£ãïŒããã³é¢é£ããã©ã³ã¿ã€ã ãã©ã°ïŒãåé€ããŸããrootãææããããªã¥ãŒã ã®ã¿ãããŠã³ãã§ããäžæ¹ã§ãroot以å€ã®ãŠãŒã¶ãŒãšããŠå®è¡ã§ããããšã¯ãæ©èœã®èª€ãã§ãã ãã¹ããšã³ã³ããéã§ã®uid / gidã®å ±æã¯ããã1ã€ã®èª€ã£ãæ©èœã§ãã
@mehaaseããªã¥ãŒã ã¯ãã³ã³ãããŒå ã®ãã¹ã«æ¢ã«ååšãããã®ãã¹ãŠã®æææš©ãååŸããŸãã ã³ã³ããå ã®å Žæãrootã«ãã£ãŠææãããŠããå Žåãããªã¥ãŒã ã¯rootã«ãªããŸãã ã³ã³ããå ã®å Žæãä»ã®èª°ãã«ãã£ãŠææãããŠããå Žåãããªã¥ãŒã ã¯ãããååŸããŸãã
ããã«å¯Ÿããããçš®ã®åé¿çã¯çŽ æŽãããã§ãããã ã³ã³ãããŒãç¹ã«ãããäºæããªãéããã¢ã¯ã»ã¹èš±å¯ãèšå®ããã«ã¹ã¿ã Dockerfileãäœæããã«ãelasticsearchãredisãcouchDBãªã©ã®æšæºã³ã³ãããŒã«ããªã¥ãŒã ãè¿œå ããããšã¯_éåžžã«_å°é£ã«ãªããŸãã ããã«ãããã»ãšãã©ã®å Žåãdocker-composeã®docker run -v
ã³ãã³ããŸãã¯volume:
ãã£ã¬ã¯ãã£ãã圹ã«ç«ããªããªããŸãã
@chrisfosterelliãªã圹ã«ç«ããªãã®ã§ããïŒ äœ¿çšããäºå®ã®ãã¡ã€ã«/ãã£ã¬ã¯ããªã®æææš©ãèšå®ããããšã¯çããããšã§ã¯ãªããšæããŸãã
@ cpuguy83æš©éãšããªã¥ãŒã ãèšå®ããã«ã¹ã¿ã Dockerfileã䜿çšããã«æææš©ãèšå®ããããšã¯ã§ããªãããã«æããããããããªã¥ãŒã ã®å®çŸ©ã«ã¯åœ¹ç«ããªããšèããããŸãã å¿ èŠã«å¿ããŠãã³ã³ããããã¹ããã¡ã€ã«ã·ã¹ãã ã«ãã€ã³ãããŠããŸããã
@chrisfosterelliãã ããããããã¹ãŠã®æšæºDockerfileã«ã¯ããã§ã«ã¢ã¯ã»ã¹èš±å¯ãèšå®ãããŠããå¿ èŠããããŸãã
@chrisfosterelliãèšãããšããŠããã®ã¯@ cpuguy83ã ãšæããŸãïŒ@chrisfosterelliãééã£ãŠããå Žåã¯èšæ£ããŠãã ããïŒããããã®å€æ°ïŒUIDãGIDãªã©ïŒã¯åçã§ããã次ã®ããã«èšå®ããå¿ èŠãããããšãæããã«ãªããŸãããã©ã³ã¿ã€ã ïŒç¹ã«å éšããã³ããŠã³ããããããªã¥ãŒã ããææãããŠãããã¡ã€ã«ãžã®æžã蟌ã¿ïŒã§ãããçŸåšãããè¡ãæ¹æ³ããããŸããã ãããŸã§ã®ãšãããå¿çã¯å®è¡æã«æ±ºå®ãããã¹ãã§ã¯ãªãããã§ãããããã¯ãã®ãããªææ¡ã«ãã£ãŠæ瀺ãããåºæ¬çãªãŠãŒã¶ããªãã£ã®åé¡ãç¡èŠããŠããŸãã ç¹°ãè¿ããŸãããç§ãããã®ããããã誀解ããŠããå Žåã¯ãé æ ®ãªãç§ãèšæ£ããŠãã ããã
@jakirkhamãŠãŒã¶ããªãã£ã®åé¡ãäœã§ããããç解ããŠã¯ãããŸããã
ãã¡ã€ã«ã¯ã€ã¡ãŒãžå
ã«ãããã¢ããªã±ãŒã·ã§ã³ã®å®è¡ã«å¿
èŠãªæææš©ãšæš©éãæã£ãŠããå¿
èŠããããŸãã ããªã¥ãŒã èªäœãšã¯äœã®é¢ä¿ããããŸããã ããªã¥ãŒã ã¯ãç»åã«èšå®ããããã®ããã®ãŸãŸäœ¿çšããŸãã
@ cpuguy83ããå°ãæãäžããŠãããã«åé¢ããŸãããèµ·åæã«ãã£ã¬ã¯ããª/data
ãäœæããelasticsearchã³ã³ãããŒããããšããŸãïŒããŒã¿ãååšããªãå ŽåïŒã次ã«ã docker run -v /data elasticsearch
ã䜿çšããŸãã ã ãã£ã¬ã¯ããª/data
ã¯root:root
ã«ãã£ãŠææãããã³ã³ããå
ã§elasticsearch
ãšããŠå®è¡ãããããŒã¢ã³ã¯ã /data
ã«æžã蟌ããªããããèµ·åã«å€±æããŸãã
ã«ã¹ã¿ã Dockerfileãå¿ èŠãšããã«ãã®ããªã¥ãŒã ãelasticsearchãææããããã«èšå®ã§ããã°çæ³çã§ããããã®çš®ã®åé¡ã¯ã¢ããã¹ããªãŒã ã€ã¡ãŒãžã§è§£æ±ºããå¿ èŠããããšäž»åŒµã§ãããšæããŸãã
@chrisfosterelliã«ãŒãã«ã¡ãŒãªã³ã°ãªã¹ãã«ã¯ãæææš©ãå€æŽã§ãããã©ã€ããŒã®ãããªãªãŒããŒã¬ã€ããããšãã話ããããŸããããã®ãããªãã®ãªãã§ã§ããããšã¯ããŸããããŸããã ç§ã¯èå³ããããŸããããªã¥ãŒã ã¯ãŒã«ãå ã®ãã¹ãŠã®ãã¡ã€ã«ãé©åã«èªã¿åãããã³æžã蟌ã¿ããŠumaskãèšå®ããæ°ãããã¡ã€ã«ãé©åã«èšå®ã§ããã§ããããã ïŒç§ã¯ãŸã è©ŠããŠããŸããïŒã
@justincormackç§ã¯ããä¿¡ããŠããŸãããã³ã³ãããïŒãã¹ãã§ã¯ãªãïŒããªã¥ãŒã ã«ããŒã¿ãäœæããããšãæåŸ
ããŠããå Žåã¯æ©èœããªããšæããŸãã ããã¯äžçš®ã®å¥åŠãªåé¡ã§ããããšãç解ããŠããã®ã§ãçŸåšãã¢ããã¹ããªãŒã ã®Dockerfileèªäœã§ãã£ã¬ã¯ããªã®mkdir -p && chmod
ã«ä¿®æ£ããããšã§å¯ŸåŠããŠããŸãã
@chrisfosterelliããumaskãèšå®ãããšèšã£ãçç±ã§ããumaskã000
ïŒã³ã³ãããŒå
ïŒã®å Žåããã¹ãŠã®æ°ãããã¡ã€ã«ã¯666
ãŸãã¯777
ã®ã¢ã¯ã»ã¹èš±å¯ã§äœæãããŸããããŠã³ããã€ã³ãã¯777
ããå§ããŠã倧äžå€«ã§ããïŒ ããŒããã·ã§ã³ãåžžã«ã¯ãŒã«ãèªã¿åãããã³æžã蟌ã¿ã§ããå Žåãuidãšgidã¯éèŠã§ã¯ãããŸãããïŒ
@justincormackã¯ããããã¯æ£ããããã«èãããŸã...ãã¹ãã«ããŠã³ããããŠããªãããªã¥ãŒã ã§Dockerã³ã³ãããäœæããŠãããšãã«ãã©ãããã°ãããè¡ãããšãã§ããŸããïŒ
@chrisfosterelliããŒããããã¯è¯ã質åã§ãã æ°ããããªã¥ãŒã ã®ããŒããã·ã§ã³ã¯ããã©ã«ãã®umaskãäžãããã®ã®ããã«èŠããã®ã§ã 000
umaskã䜿çšããŠdockerããŒã¢ã³ãå®è¡ããããªã¥ãŒã ã誰ã§ãæžã蟌ã¿å¯èœãã©ããã確èªã§ããŸãã ãã¶ãã docker volume create
ã«ããã€ãã®æš©éãªãã·ã§ã³ãããã¯ãã§ãã
ïŒ chmod
ãå®è¡ããŠçµäºããã«ãŒãã³ã³ããã§ä¿®æ£ããããšãã§ããŸãããããã¯éãã§ãïŒ
äœææã«è¯ããããŸããã åé¡ã¯ãã³ã³ããã«ãã¹ããªãå Žåããã¹ãã«ãŒãã§äœæãããããšã§ãã ããã¯ãæž¡ããããŠãŒã¶ãŒãäœã§ãããã»ãŒééããªãå®è¡ã§ããŸãã
@ cpuguy83ãŠãŒã¶ãŒã-uãæž¡ããŠæž¡ãããšãã«äœæããæ¹ãçã«ããªã£ãŠãããšæããŸããããã¯ããããããŠãŒã¶ãŒãã³ã³ãããŒå ããããªã¥ãŒã ãæžã蟌ãããšããŠããããã§ãã
以äžã®æé ã䜿çšããŠãéžæãããŠãŒã¶ãŒãšããŠããŠã³ãã§ããŸããã
åŒçš@chrisfosterelli ïŒ
ããå°ãæãäžããŠãããã«åé¢ããŸãããèµ·åæã«ãã£ã¬ã¯ããª/ dataãäœæããelasticsearchã³ã³ãããŒããããšããŸãïŒããŒã¿ãååšããªãå ŽåïŒã次ã«ãdocker run -v / dataelasticsearchã䜿çšããŸãã ãã£ã¬ã¯ããª/ dataã¯rootïŒrootã«ãã£ãŠææãããããã«ãªããã³ã³ããå ã§elasticsearchãšããŠå®è¡ãããããŒã¢ã³ã¯ã/ dataã«æžã蟌ããªããããèµ·åã«å€±æããŸãã
ããã¯çŽ æŽãããäŸã§ãïŒ Solrç»åã§ãåæ§ã®äŸããããŸãã Solrã«ã¯1ã€ä»¥äžã®ãã³ã¢ããå¿
èŠã§ããåã³ã¢ã¯ãé¢é£ããæ§æãã¡ã€ã«ãšçŽ¢åŒãã©ã°ã¡ã³ãã®ã³ã¬ã¯ã·ã§ã³ã§ãã åã³ã¢ã¯ããŠãŒã¶ãŒæå®ã®ååã§ãã£ã¬ã¯ããªå
ã«é
眮ãããŸãã ããšãã°ã products
ãšããååã®ã³ã¢ãäœæããå Žåããã¹ã¯/opt/solr/server/solr/products
ã«ãªããŸãã ã³ã¢ã®ååã¯ç§ãéžæãããããSolrã€ã¡ãŒãžã¡ã³ãããŒã¯ã€ã¡ãŒãžå
ã«ãã®ãã£ã¬ã¯ããªãäºåã«äœæã§ããŸããã
ãã¹ãŠã®ããã¥ã¡ã³ãã®ã€ã³ããã¯ã¹ãåäœæããã«ã€ã¡ãŒãžãæ°ããSolrã«ã¢ããã°ã¬ãŒãã§ããããã«ãã€ã³ããã¯ã¹ããŒã¿ãä¿åãããã®ã§ãããããªã¥ãŒã ã/opt/solr/server/solr/products
ã«ããŠã³ããããšããã®ããªã¥ãŒã ã¯root
ã«ãã£ãŠææãããŸãã solr
ãšããŠå®è¡ïŒã¯å®éã«ã¯äœãæžã蟌ãããšãã§ããŸããã 芪ãã£ã¬ã¯ããª/opt/solr/server/solr
ã«ã¯ä»ã®ãã¡ã€ã«ãå«ãŸããŠãããããããã«ãããªã¥ãŒã ãããŠã³ãã§ããŸããã ïŒææ°ã®Dockerçšèªã§ã¯ãç§ã®ããªã¥ãŒã ã¯ãååä»ãããªã¥ãŒã ããšåŒã°ããŠãããšæããŸããã€ãŸãããã¹ãäžã®æå®ããããã¹ã«ããŠã³ããããŠããªãããDockerã«ãã£ãŠå®å
šã«ç®¡çãããŠããããªã¥ãŒã ã§ããïŒ
ç§ã¯ããã«ã€ããŠSolrã€ã¡ãŒãžã¡ã³ãããŒãšè©±ããŸããããããã€ãã®åé¿çããããŸãïŒãããŠã圌ã¯åœ¹ç«ã€ããã«ã€ã¡ãŒãžã«ããã€ãã®å€æŽãå ããŸããïŒããããã¯ãã¹ãŠããªãããããŒã§ãããã¢ããã¹ããªãŒã ã€ã¡ãŒãžã«ã±ãŒã¹ãã€ã±ãŒã¹ã§å€æŽããå¿ èŠããããŸãã ãã®ã¹ã¬ããã§èª¬æãããŠããæ©èœããããšãæ°ããDockerfileãäœæããªããŠãã_ãã¹ãŠã®ã€ã¡ãŒãž_ãããæ¡åŒµå¯èœã«ãªããŸãã
@ctindelå€å...ãã£ã¬ã¯ããªããŸã ååšããªãå Žåã
@ cpuguy83ããã§ãããåæããŸãã ããã¯ééããªãç§ã®ãŠãŒã¹ã±ãŒã¹ã§ããã ã³ã³ãããå®è¡ããããã«ãŠãŒã¶ãŒIDãæ瀺çã«æå®ãããŠããå Žåã«ãã£ã¬ã¯ããªãååšããªãå Žåããã£ã¬ã¯ããªãrootãšããŠäœæããããšã¯æå³ããªãããã§ãã
@ cpuguy83ååä»ãããªã¥ãŒã ã§ã®ã¿æ©èœããŸãã
@kamechenäœãããŸãããã®ïŒ
@ cpuguy83ååä»ãããªã¥ãŒã ã䜿çšããå Žåããã¡ã€ã«ã¯å¿ èŠãªãŠãŒã¶ãŒã®äžã«ããŠã³ããããŸã
@eciucaãŸã....ããã¯ç°ãªããŸãã ååä»ãããªã¥ãŒã ã空ã®å ŽåããŸãã¯ååä»ãããªã¥ãŒã ã®ããŒã¿ãããŸããŸå¿ èŠã ã£ãã®ãšåããŠãŒã¶ãŒã«ãã£ãŠäœæãããå Žåã
@andrewmichaelsmithã«ãã£ãŠæèµ·ãããåé¡ã®è§£æ±ºçã¯ãããŸãããïŒ
ããã§è§£æ±ºã§ããåé¡ã«çŽé¢ããŠããŸãïŒç§ã¯æããŸãïŒã éçºè ã®ããŒã ãã£ã¬ã¯ããªçšã«NFSå ±æããããŸãã éçºè ã¯/ home / dev / git / projectãDockerã«ããŠã³ããããã®ã§ãããã«ãŒãã¹ã«ãã·ã¥ãæå¹ã«ãªã£ãŠããããã§ããŸããã
ããã«ãããrootã/ home / dev / git / projectã«ã¢ã¯ã»ã¹ã§ããªããªããããdocker Mounting / home / dev / git / projectãå®è¡ããããšãããšãlstatããŒããã·ã§ã³æåŠãšã©ãŒãçºçããŸãã
bindfsã䜿çšããŠãããåé¿ããããšã¯å¯èœã ãšæããŸãã
dockerã®-v ...
ã䜿çšããŠããªã¥ãŒã ãäžæçãªå Žæã«ããŠã³ããã次ã«bindfsã䜿çšããŠå¥ã®ãŠãŒã¶ãŒãšããŠå¿
èŠãªå Žæã«ããŠã³ãããŸãã
@piccaso ãç§ã@andrewmichaelsmithãç解ããæ¹æ³ã¯ãåé¡ã¯ãrootsquashãåå ã§ãã¹ãåŽã®ãã€ã³ãããŠã³ãã倱æããããšã§ãããšããããšã§ãã ãã ããbindfsã¯å®éã«ã¯åé¿çãšããŠäœ¿çšã§ããŸãããä»åã¯ãã¹ãåŽã§äœ¿çšããŸãã ãŸãããã¹ãã§ãFUSEã䜿çšããŠnfså
±æãérootãŠãŒã¶ãŒãšããŠäžæçãªå Žæã«ãã€ã³ãããŠã³ããã次ã«ãã®äžæãã©ã«ããŒã-v ...
ã䜿çšããŠDockerã«ããŠã³ãããŸãã
bindfsïŒå°ãªããšãFUSEã§ã¯ïŒã«ã¯ããªãã®CPUãªãŒããŒããããããããšã«æ³šæããŠãã ããã
ã¯ããbindfsã¯éåžžã«æãŸãããããŸããã CoWãã¡ã€ã«ã·ã¹ãã ãããäœéã§ãã
ã«ãŒãã«ã§è¡ãããŠããããã€ãã®äœæ¥ã«ãããããŠã³ãã§uid / gidãã·ããã§ããããã«ãªããŸãã
ã«ãŒãã«ã§è¡ãããŠããããã€ãã®äœæ¥ã«ãããããŠã³ãã§uid / gidãã·ããã§ããããã«ãªããŸãã
ããã¯ãããããã³ã³ããå ã®uid / gidãåãããããããŠãŒã¹ã±ãŒã¹ã«å¯ŸåŠããã®ã«åœ¹ç«ã€ã ãã§ãã dockerããŒã¢ã³ã«ãã£ãŠå®è¡ãããããŠã³ãèªäœã¯ããã¹ãäžã§rootãšããŠå®è¡ãããŸãã ç§ã®ç解ã§ã¯ãã«ãŒãã«ãã€ã³ãããŠã³ãã§ã¯rootãšããŠã®ã¿äœæã§ããŸãã root以å€ã®ãŠãŒã¶ãŒãããŠã³ããå®è¡ã§ããããã«ããããã«ãããå€æŽããäœæ¥ããããã©ããã¯ããããŸããïŒLinuxãããŠã³ããåŠçããŠæå³ããããã©ãããå€æããæ¹æ³ã«ã€ããŠã¯ã»ãšãã©ç¥ããŸããïŒã
@NikolausDemmelãããå€ãããšã¯æããŸããã mount
syscallã«ã¯CAP_SYS_ADMINãå¿
èŠã§ããããã¯ãroot以å€ã®ãŠãŒã¶ãŒã«äžãããããã®ã§ã¯ãªããã³ã³ãããŒã®rootãŠãŒã¶ãŒã«äžãããããã®ã§ããããŸããã
@ cpuguy83説æããŠãããŠããããšãã ã€ãŸããã«ãŒãã¹ã«ãã·ã¥ã䜿çšããNFSããŠã³ãã§ãããã¹ããã©ã«ããŒãžã®Dockerããªã¥ãŒã ã®ããŠã³ãã¯ãïŒããªããèšãããã«ããŠã³ãsyscallã®å¶éã®ããã«ïŒäºèŠå¯èœãªå°æ¥ã«ã¯æ©èœããŸããããã ãã bindfs
ã§FUSEãªã©ã®åé¿çã䜿çšããå Žåãé€ããŸãã
ç³ãèš³ãããŸããããOPãã³ã³ããå ã®UID / GIDã®å€æŽã«ã€ããŠè³ªåããŠãããããããã¯å°ãOTã§ããã ããããããã¯ã³ã€ã³ã®è£åŽã®ãããªãã®ã§ãããäžèšã®è°è«ã§æµ®ãã³äžãã£ãŠããŸããã ãã®éããæ確ã«ãããã£ãã ãã§ãã
Docker for Macãå®è¡ããŠããŠãããªã¥ãŒã ãããŠã³ãããŸãããããã¡ã€ã«ã«ã¢ã¯ã»ã¹ããããã®WebãµãŒãã¹ã«èšå®ãããã¢ã¯ã»ã¹èš±å¯ãååŸã§ããªãããã§ãã ãããã©ã®ããã«ä¿®æ£ããŸããïŒ ããŒããå€ããŠã°ã«ãŒããã¹ã¿ããã«èšå®ããŠã¿ãŸããããã¢ã«ãã€ã³ã«ã¯ã¹ã¿ããã°ã«ãŒãããªãããã§ãã
ç³ãèš³ãããŸãããããããæé©ãªå Žæã§ã¯ãªãå Žåãç§ã¯äœæ¥ãèŠåŽããŠããŠããã以äžã®å Žæãèããããšãã§ããŸããã§ããã
@NikolausDemmel ïŒããã€ãã®ãã€ãªã€ã³ãã©ããã£ã¯ã¹äœæ¥ã«Dockerã䜿çšããããšããŠããŸãã NFSãä»ããŠã«ãŒãã¹ã«ãã·ã¥ãããè€æ°ã®å·šå€§ãªãã¡ã€ã«ã·ã¹ãã ãããŠã³ããããŠããŸãã 巚倧ãªé åããŒã¿ïŒfastqïŒãèªã¿èŸŒã¿ãã²ãã èªã¿åããããŒã¿ã¹ãã¢ã«åãããŠãããå°ããBAMãã¡ã€ã«ãæžãåºããŸãã çŸåšãã«ã¹ã¿ã ã€ã¡ãŒãžãå®è¡ããŠã³ã³ããå ã«ãŠãŒã¶ãŒãäœæããæåŸã«USERã䜿çšããŠæ©èœãããããšã§ãDockerã䜿çšã§ããŸãããããã«ã¯ããã€ãã®çç±ã§åé¡ããããŸãã
BindfsãŸãã¯userNSã§ãããåé¿ã§ããŸããïŒ
ç§ã¯åãåé¡ã«çŽé¢ããŠãããšæããŸããç§ã®ãŠãŒã¹ã±ãŒã¹ã¯æ¬¡ã®ãšããã§ãïŒ
Dockerã€ã¡ãŒãžã¯ãç¹å®ã®ãããžã§ã¯ãã®ããŒã¿ãã«ãã«ãããŒã«ãä¿æããŸãdocker run -v ./:/src/ image
ãªã©ã®çžå¯Ÿãã¹ãŸãã¯docker-composeãã¡ã€ã«ã®åçã®ãã¹ã䜿çšããããªã¥ãŒã ããŠã³ãã䜿çšããŸãã ãã«ããèªåçã«éå§ããããªã³ã¯ãããããªã¥ãŒã ã®ãµããã©ã«ããŒã«æ°ãããã¡ã€ã«ãçæãããŸãã
ãã¹ããããã«ãããããã¡ã€ã«ã䜿çšãããå ŽåããããŸãããdockerãå®è¡ãããã¹ããŠãŒã¶ãŒã§ã¯ãªããdockerã®ãŠãŒã¶ãŒãããããææããŠãããšããäºå®ã¯ãç©äºãé£ããããåŸåããããŸãã
ç§ã¯ããã§ç¹ã«ééã£ãããšãããŠããŸããïŒ
@rlabrecqueã¯ãDockerãŠãŒã¶ãŒã®IDãšãã¹ãã®IDã®ç
§åã«ã€ããŠã以åã®ç§ã®æçš¿ãåç
§ããŠãã ããã ç§ã¯ãã®ã¢ãããŒãã䜿çšããŸããããããŠããã¯ç§ãã¡ã«ãšã£ãŠæ¬åœã«ããŸããããŸãã åºæ¬çã«ã HOST_UID=$(id -u)
ãšHOST_GID=$(id -g)
ãå®è¡ãã以äžã®2ã€ã®ã³ãã³ãã§$ HOST_GIDãš$ HOST_UIDãå±éããDockerfileãçæããŸãã
RUN groupadd -g $HOST_GID mygroup
RUN useradd -l -u $HOST_UID -g mygroup myuser
IDãå ¥åããŠçæãããDockerfileã䜿çšããŠãã€ã¡ãŒãžãæ§ç¯ããŸãã
@haridsvç§ã¯äŒŒããããªããšãããŸããããLinuxã§ããŸãæ©èœããŸãã ããããããã¯Windowsã§ã¯ããŸããããªãããã§ããããŠã³ãå ã®ãã¡ã€ã«ã¯ãŸã rootã«ãã£ãŠææãããŠããŸãã
ç§ã¯inotifywaitã䜿çšããŠããã解決ããŸããã Dockerã€ã¡ãŒãžå ã§å®è¡ããã«ã¯ãinotify-toolsãã€ã³ã¹ããŒã«ããå¿ èŠããããŸãã 代ããã«ãã¹ãã·ã¹ãã ã§å®è¡ããããšãå¯èœã§ãããããŒã¿ãã«ãªãœãªã¥ãŒã·ã§ã³ãå¿ èŠã§ããã
RUN export DEBIAN_FRONTEND=noninteractive \
&& apt -y update \
&& apt -y install inotify-tools \
&& inotifywait -m -r /mount -e create --format '%w%f' \
| while read f; do chown $(stat -c '%u' /mount):$(stat -c '%g' /mount) $f; done
ããã¯ããã£ã¬ã¯ããª/ mountã«äœæãããæ°ãããã¡ã€ã«ãŸãã¯ãã£ã¬ã¯ããªãç£èŠããããã«inotifywaitã«æ瀺ããããšã§æ©èœããŸãã 1ã€ã«æ°ä»ããšãæææš©ã/ mountãã©ã«ããŒãšåããŠãŒã¶ãŒããã³ã°ã«ãŒãã«å€æŽãããŸãã ãã¹ããŠãŒã¶ãŒ/ã°ã«ãŒããã³ã³ãããŒã«ååšããªãå Žåã«åããŠãäž¡æ¹ã®æŽæ°è¡šçŸã䜿çšããŸããã ã³ã³ããå ã§ã¯ããã¹ãŠãrootãšããŠå®è¡ãããããã誰ãã³ã³ãããææãããã¯é¢ä¿ãããŸããã ã³ã³ããã®å€éšã§ã¯ããã¹ããã¡ã€ã«ã·ã¹ãã ã¯/ mountã«ããŠã³ãããããã£ã¬ã¯ããªãšåãæææš©ã瀺ããŸãã
æ¢åã®ãã¡ã€ã«ãšãã£ã¬ã¯ããªã®æææš©ãä¿æããããã«ãæ°ããäœæããããã¡ã€ã«ãšãã£ã¬ã¯ããªã®æææš©ã®ã¿ãèšå®ããããã«æå³çã«èšèšããŸããã ãã¡ã€ã«ã·ã¹ãã ãããŠã³ãããããã³ã«ãchown-Rã¹ããŒãã¡ã³ãã§ãã¹ãŠãå¹ãé£ã°ããããå®å šã§ãã ãããžã§ã¯ãã§çµ±äžãããæš©éãæ©èœããããå¹ççã«å®è¡ãããããåçŽãªãœãªã¥ãŒã·ã§ã³ãå¿ èŠãªå Žåã¯ã inotify-hookableã確èªããŠãã ããã
èŠåïŒãµããã£ã¬ã¯ããªããšã«1ã€ã®inotifyãŠã©ããã確ç«ãããããããŠãŒã¶ãŒããšã®inotifyãŠã©ããã®æ倧æ°ã«éããå¯èœæ§ããããŸãã ããã©ã«ãã®æ倧å€ã¯8192ã§ãã / proc / sys / fs / inotify / max_user_watchesã«æžã蟌ãããšã§å¢ããããšãã§ããŸãã
ãã¹ãåŽã¹ã¯ãªããã䜿çšããŠãããŠã³ããããããªã¥ãŒã bengãchown
ããŸãããããã«ãããã€ã¡ãŒãžãåæ§ç¯ããå¿
èŠããªããªããŸãã
#!/bin/bash
set -e
DOCKER_IMAGE=<docker_image>
COMMAND=<internal_command>
DOCKER_USER=docker-user
DOCKER_GROUP=docker-group
HOME_DIR=/work
WORK_DIR="$HOME_DIR/$(basename $PWD)"
PARAMS="$PARAMS -it --rm"
PARAMS="$PARAMS -v $PWD:$WORK_DIR"
PARAMS="$PARAMS -w $WORK_DIR"
USER_ID=$(id -u)
GROUP_ID=$(id -g)
run_docker()
{
echo \
groupadd -f -g $GROUP_ID $DOCKER_GROUP '&&' \
useradd -u $USER_ID -g $DOCKER_GROUP $DOCKER_USER '&&' \
chown $DOCKER_USER:$DOCKER_GROUP $WORK_DIR '&&' \
sudo -u $DOCKER_USER HOME=$HOME_DIR $COMMAND
}
if [ -z "$DOCKER_HOST" ]; then
docker run $PARAMS $DOCKER_IMAGE "$(run_docker) $*"
else
docker run $PARAMS $DOCKER_IMAGE $COMMAND "$*"
fi
ãã¹ããã£ã¬ã¯ããªã§ãã¡ã€ã«ã·ã¹ãã ACLã䜿çšããã®ã¯ã©ãã§ããïŒ ãã®ããã«ããŠããã£ã¬ã¯ããªå ã«æ°ããäœæããããã¡ã€ã«ã«ç¹å®ã®ã¢ã¯ã»ã¹èš±å¯ãé©çšããããã«ãã¡ã€ã«ã·ã¹ãã ã«æ瀺ã§ããŸãã ACLããã¹ãã¬ãã«ã§èšå®ããå Žåãã³ã³ããããã®ããŒã¿ãå€æŽãããšããããçºçããŸãã
@thaJeztah @justincormack @ cpuguy83
@kamechenã¯ãæå®ãããããªã¥ãŒã ããæ£ããæ©èœããããšããã®ã¯æ£ããããã§ãã ååä»ãããªã¥ãŒã ã®å Žåãæ¢åã®ã¢ã¯ã»ã¹èš±å¯ããããã¯ãã¡ã€ã¢ãããŠããªã¥ãŒã ã®ã¢ã¯ã»ã¹èš±å¯ãå€æŽããŸããå人çã«ã¯ãããããã°ãšèŠãªããŸãïŒïŒ28041ïŒã
@thegecko ããªããã®ã¢ãããŒããããã«é²ããŠããšã³ããªãã€ã³ãå ã«ãŠãŒã¶ãŒãäœæããªãã®ã§ããïŒ
ãããç§ã®äŸã§ããããŠã³ãããããã£ã¬ã¯ããªã®ææè ãæ€åºããåãUIDãæã€ãŠãŒã¶ãŒãäœæãããã®ãŠãŒã¶ãŒã®äžã§ã³ãã³ããå®è¡ããŸãã
FROM ubuntu
RUN mkdir /project
VOLUME /project
ENV GOSU_VERSION 1.9
RUN set -x \
&& apt-get update && apt-get install -y --no-install-recommends ca-certificates wget && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
&& wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
&& wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc" \
&& export GNUPGHOME="$(mktemp -d)" \
&& gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
&& gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
&& rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \
&& chmod +x /usr/local/bin/gosu \
&& gosu nobody true \
&& apt-get purge -y --auto-remove ca-certificates wget
ADD entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
CMD /project/run.sh
#!/bin/sh
USER=dockeruser
VOLUME=/project
UID="$(stat -c '%u' $VOLUME)" && \
useradd --uid "$UID" "$USER" && \
ls -l "$VOLUME" && \
exec gosu "$USER" "$@"
#!/bin/sh
echo "Running as \"$(id -nu)\""
sudo docker build -t test . && sudo docker run --rm -v /tmp/docker-test/:/project test:latest
ãå®è¡ãããšã次ã®ããã«åºåãããŸãã
total 12
-rw-r--r-- 1 dockeruser dockeruser 990 Dec 12 10:55 Dockerfile
-rwxr-xr-x 1 dockeruser dockeruser 156 Dec 12 11:03 entrypoint.sh
-rwxr-xr-x 1 dockeruser dockeruser 31 Dec 12 11:01 run.sh
Running as "dockeruser"
誰ãããã®åé¡ãæ€èšããŸãããïŒ ããªã¥ãŒã ã®gidãšuidãã³ã³ãããŒãšåãã§ããããšã確èªãããšãrootã䜿çšããªãããã«ã³ã³ãããŒã管çããããšãé£ãããªããŸãã Dockerã®ãã¹ããã©ã¯ãã£ã¹ã§ã¯ãå¯èœã§ããã°rootã§ãµãŒãã¹ãå®è¡ããªãããšãæšå¥šããŠããŸããããã¹ãäžã§gidãšuidãã»ããã¢ããããå¿ èŠã¯ãªããã³ã³ãããŒã¯Dockerã®äººæ°ãé«ãã䜿ãããããæãªããããªãã®ã§ã¯ãããŸãããïŒ
@AndreasBackxããªã¥ãŒã ã®äœ¿çšã¯ãããŠã³ãå
ã®ãã¹ã«ããŒã¿ãå«ãŸããŠããããšãåæãšããŠæ©èœããŸãã
ãã€ã³ãã䜿çšãããšããã¹ããã¹ã®UID / GIDã䜿çšãããŸãã
ã²ã©ãé ãFUSEã®ãããªãã®ã䜿çšããªãéããçŸåšãå ã®ãã¡ã€ã«/ãã£ã¬ã¯ããªãå€æŽããã«ãã¡ã€ã«/ãã£ã¬ã¯ããªã®UID / GIDãä»ã®äœãã«ããããŸãã¯å€æŽããæ¹æ³ã¯ãããŸããïŒã«ãŒãã«ãµããŒãããªãå Žåãªã©ïŒã
ããããå°ãåã«æ»ããŸãããã
Dockerã¯ãããã§ç©äºãå®éã«é£ããããŠããããã§ã¯ãããŸããã
ã³ã³ããå
ã®UID / GIDã¯ããã¹ãäžã®UID / GIDãšåãã§ãããŠãŒã¶ãŒ/ã°ã«ãŒãåãäžèŽããªãå Žåã§ããããã§éèŠãªã®ã¯UID / GIDã§ãã
Dockerããªãå Žåãšåãããã«ããµãŒãã¹ã«äœ¿çšããuid / gidãèãåºããæ
£äŸã«åããŠäœ¿çšããå¿
èŠããããŸãã
ãã¡ã€ã«ã®æææš©ãèšå®ããããã«ãuid / gidã/etc/passwd
ãŸãã¯/etc/group
ã«ååšããå¿
èŠã¯ãªãããšãå¿ããªãã§ãã ããã
@ cpuguy83説æããããšãããããŸãã
ä»æ¥ã node
ãã€ãã©ã€ã³ãäœæããŠãããšãã«ãã®åé¡ãçºçããŸããããã¹ããŠãŒã¶ãŒã®UIDã¯1000ã§ã node
ã€ã¡ãŒãžã¯ãã®ç¹å®ã®UIDãæã€ã«ã¹ã¿ã ãŠãŒã¶ãŒãäœæããŸããããã«ã€ããŠãåé¡ããããŸãã
ããŒããŠãŒã¶ãŒã䜿çšããŠå ã«é²ã¿ãŸãããå°ãæ±ããŠããããã«æããŸãã @ cpuguy83ã«æžãããå°ãåŸéããŸããããã«ã€ããŠã¯æ¬åœã«å ±æããŠããŸãããåé¡ã解決ããã®ãé£ããå ŽåããããŸãã
éè€ããIDSãèš±å¯ããããã«usermod
ã®-o
ãªãã·ã§ã³ãèŠã€ãããšãããæ£åœãªãªãã·ã§ã³ã®ããã§ãã
RUN usermod -o -u 1000 <user>
ãªããããåççãªæ¹æ³ã§ä¿®æ£ãããŠããªãã®ãããããªãã
docker run -it -u 1000:4211 -v /home/web/production/nginx_socks:/app/socks -e SOCKS_PATH=/app/socks --name time_master time_master
ãã°ã€ã³ããŠç¢ºèªããŠãã ããã
drwxr-xr-x 8 geodocr_ geodocr 4096 Jun 4 18:51 .
drwxr-xr-x 57 root root 4096 Jun 6 21:17 ..
-rwxrwx--- 1 geodocr_ geodocr 140 Jun 4 18:49 .env
-rwxrwx--x 1 geodocr_ geodocr 78 Jun 4 18:49 entrypoint.sh
drwxrwxr-x 2 geodocr_ geodocr 4096 Jun 4 18:51 handlers
-rwxrwx--- 1 geodocr_ geodocr 242 Jun 4 18:49 requirements.txt
-rwxrwx--- 1 geodocr_ geodocr 1270 Jun 4 18:49 server.py
drwxr-xr-x 2 root root 4096 Jun 6 21:00 socks
drwxr-xr-x 10 geodocr_ geodocr 4096 Jun 4 18:51 utils
dockefileã¯ç¹ã«
RUN adduser -D -u 1000 $USER
#
RUN addgroup $GROUP -g 4211
#
RUN addgroup $USER $GROUP
RUN mkdir /app/socks
USER $USER
#
ã³ã³ããå ã®ãŠãŒã¶ãŒãéžæãããŠããªãå ŽåããŸãã¯ã³ãã³ããå®è¡ããŠãããŠãŒã¶ãŒãéžæãããŠããªãå Žåããã®ããªã¥ãŒã ãrootãšããŠããŠã³ããããŠãæå³ããããŸããã RUNã³ãã³ãããã³ãã³ããå®è¡ããŠãããŠãŒã¶ãŒãšããŠããŠã³ããããŠããã®ãããã£ã¬ã¯ããªãææããŠãããŠãŒã¶ãŒãšããŠããŠã³ããããŠããã®ããDockerfileã§æå®ãããŠãããŠãŒã¶ãŒãšããŠããŠã³ããããŠããã®ããããããŸããã
ãããã¯ããããrootã§ã¯ãªããããrootãšããŠããŠã³ãããã®ã¯ãã°ã®ããã§ãã
ãŸãããã§ãã¯ããŠããªã¥ãŒã ãäœæããããŠã³ããããšæ©èœããŸãã ã ãããŸã ãã°ã
@disarticulateãã¹ããã¹ãroot以å€ã«ããå Žåã¯ããã¹ããã¹ãå€æŽããå¿ èŠããããŸãã
ããã«ã€ããŠã¯ä»¥åã«èšåãããŠããªããšæããŸãããDockerã䜿çšããŠãã¹ãããªã¥ãŒã ãäœæããå Žåããã®ãã°ã¯ç¹ã«åä»ã§ãã ããŠã³ãããŠãããã£ã¬ã¯ããªã®ææè ãç°ãªãå Žåã§ããDockerã¯åžžã«rootã䜿çšããŠãã¹ãããªã¥ãŒã ãäœæããŠããããã§ãã
ããã§è¡ãæ£ããããšã¯ãã€ã¡ãŒãžã®USER
ã«å±ããæææš©æš©éãæã€ããªã¥ãŒã ãäœæããããšã§ããããã«æãããŸãã
@jalazizã³ã³ããã®ãŠãŒã¶ãŒããã¹ãã«ååšããªãå Žåã¯ã©ãããã°ããã§ããïŒ ã³ã³ãããŒã®äž»ãªå©ç¹ã®1ã€ã¯ãã³ã³ãããŒã®äŸåé¢ä¿ïŒãŠãŒã¶ãŒãå«ãïŒããã¹ãã«å ¬éããå¿ èŠããªãããšã§ãã
@taybin Dockerã¯ãã³ã³ãããŒã®ãŠãŒã¶ãŒã®uidïŒgidã䜿çšããŠãã©ã«ããŒãäœæãããããã©ã«ããŒãã³ã³ãããŒå ã«ååšããå Žåã¯ãåãuidïŒgidãšãã¹ã¯ã䜿çšããŠãã¹ããã©ã«ããŒãäœæããããšãæåŸ ããŸãã
泚ïŒãã©ã«ããŒããã¹ãã«æ¢ã«ååšããå ŽåãDockerã®å€æŽæš©éã¯æåŸ ããŠããŸããã
@ taybin @ frolã説æãããšããã§ãã ã³ã³ããã®uidïŒgidã䜿çšããå¿ èŠããããŸãã
ãã ããããã«ãããçŸåšã®ã¢ãããŒãã«é¢ããç§ã®äžè¬çãªåé¡ãæããã«ãªããŸãã ã³ã³ãããæžã蟌ã¿ãèš±å¯ãããã®uidïŒgidã«åºã¥ããŠãã¹ããã£ã¬ã¯ããªãžã®ã¢ã¯ã»ã¹èš±å¯ãèšå®ããããã«äœ¿çšããuidãç¥ãå¿ èŠããããŸãã ã¢ããã¹ããªãŒã ã®äœæè ãuidãå€æŽãããšãæš©éã倱ãããŸãã ããã¯ãã¹ãŠéåžžã«å£ããããããã§ãã
ç§ã®å Žåã䜿çšãããŠããDockerã€ã¡ãŒãžãæ瀺çã«å¶åŸ¡ããå¿ èŠã¯ãããŸããã§ããïŒDockerfileã奜ã¿ã«åãããŠç·šéããããšã¯ã§ããŸããã§ããïŒã
ã ãããç§ã¯ãããè©ŠããŸããïŒ
docker run -it -u $(id -u $USER):$(id -g $USER) -v $(pwd):/src -w /src node:latest npm run build
ããã«ããã ./built-app
ãšãããã©ã«ããäœæãããŸãã ãã ããææè
ã¯äŸç¶ãšããŠroot
ã§ãããå³æ Œãªæš©éããããŸãã
ç§ã®åé¿çã¯ããã§ããïŒ
docker run -it -v $(pwd):/src -w /src node:latest /bin/bash -c "npm run build; chmod -R 777 ./built-app"
ããã«ã¯ãŸã root
ã®ææè
ãããŸãããæš©éã¯ç·©åãããŠããŸãã ãã®åŸãç§ã®ãã¹ãOSïŒUbuntuïŒã¯sudoæš©éãªã./built-app
ã«ã¢ã¯ã»ã¹ã§ããŸããã
@ rms1000watt次ã®ã³ãã³ããè©ŠããŸãããïŒ
docker run -it -v $(pwd):/src -w /src node:latest /bin/bash -c "npm run build; chown -R ${UID}:${GID} ./built-app"
ãã¹ãã®UID
ãšGID
ããã¡ã€ã«èªäœã«çŽæ¥äœ¿çšãããããããã¯æ©èœããã¯ãã§ãã chmod -R 777
ã䜿çšããããšã¯ãäžè¬çã«æªãç¿æ
£ã§ãã
@saadaãã£ãšïŒ ãããããé¡ãããŸãã è©ŠããŠã¿ãŸãã
ãããèªãã§ã_ UIDãšGIDãDockerã³ã³ããã§ã©ã®ããã«æ©èœããããç解ããããšã§ãç§ã®ã¢ãããŒããéæã§ããŸãã_
https://medium.com/@mccode/understanding -how-uid-and-gid-work-in-docker-containers-c37a01d01cf
åºæ¬çã«ãåäžã®ã«ãŒãã«ãšåäžã®å ±æuidããã³gidã®ããŒã«ããããŸããããã¯ãããŒã«ã«ãã·ã³ã®ã«ãŒããã³ã³ããã®ã«ãŒããšåãã§ãããäž¡æ¹ãåãUIDãå ±æããããšãæå³ããŸãã
ç§ã¯ApacheãµãŒããŒãæã£ãŠãããWebã¢ããªã±ãŒã·ã§ã³ãã¡ã€ã«ãApacheã³ã³ãããŒãšå ±æããŠããã¹ãäžã§å€æŽãïŒéçºãããã¹ããšãã£ã¿ãŒã䜿çšããŠå€æŽïŒãã³ã³ãããŒã§å®è¡ãããŠããããã»ã¹ã«ããçµæã確èªããããšèããŠããŸãã ãã®ããã»ã¹ã§ãæ°ãããã¡ã€ã«ãäœæããããšããããŸããããã©ã«ãã®åäœãå€æŽããªãå Žåããã¡ã€ã«ã¯rootãŠãŒã¶ãŒã«ãã£ãŠçæãããããŒã«ã«ãŠãŒã¶ãŒã¯ããããå€æŽã§ããªããªããŸãã
ç§ãããããšã¯ããããdockerfileã«è¿œå ããŠã«ã¹ã¿ã ã€ã¡ãŒãžãçæããããšã§ããã
RUN adduser -D -u 1002 dianjuar -G www-data
USER dianjuar
ãã¶ããç§ã®
docker-compose.yml
ã誰ã«ã§ã移æ€ã§ããããã«ããããã«ããã«ãããã»ã¹ã«ããã€ãã®ãã©ã¡ãŒã¿ãŒãèšå®ããŸãã
ããã¯ãå®è¡æã«ãŠãŒã¶ãŒID /ã°ã«ãŒãIDãç°¡åã«ç§»æ€ã§ããæ¹æ³ã§å²ãåœãŠãããã®ã³ã³ãããŒãã¿ãŒã³ã§ãã https://github.com/Graham42/mapped-uid-docker
ç§ãåŸã£ãæ¹æ³ïŒ
1-ãã¹ããµãŒããŒã«ãã£ã¬ã¯ããªãäœæããŸã
2-useridããã³groupid = 1000ãæã€ãŠãŒã¶ãŒãžã®ã¢ã¯ã»ã¹èš±å¯ãå€æŽããŸã
3- docker-compose up
ãå®è¡ããŸã
ã³ã³ããããã§ãã¯ãããã¹ãŠãæ£åžžã§ãã
泚ïŒãã¹ããµãŒããŒã§rootãŠãŒã¶ãŒã䜿çšããŠãããuid = 1000ã®root以å€ã®ãŠãŒã¶ãŒã䜿çšããŠããå Žåãæš©éãæ°ã«ããã«ããªã¥ãŒã ãããŠã³ãã§ãããšæããŸããããŸã ãã¹ãããŠããŸããã åæ§ã®æ¹æ³ã«åŸã£ã人ã¯ããŸããïŒ
å žåçãªåé¡ïŒ
ã€ãŸããencrptãããã¡ã€ã³ã®SSL蚌ææžãååŸããWebãµãŒããŒãšã蚌ææžãåå©çšãããåããã¡ã€ã³ã®OpenLDAPãµãŒããŒããããŸãã
ãŸã£ããåãåé¡ãçºçããä»ã®çµã¿åããããããŸãã
ä»»æã®ã¢ã€ãã¢ãããã解決ããæ¹æ³ã¯ïŒ
Dockerãªãã§ãããã©ã®ããã«è§£æ±ºããŸããïŒ ããã¯Dockeråºæã§ã¯ãããŸãã
åé¡ã
2018幎1æ12æ¥éææ¥åå10æ24åã MarcWÀckerlinnotifications @ github.com
æžããŸããïŒ
å žåçãªåé¡ïŒ
- docker swarmã§ãããããCAPP_ADDã¯äœ¿çšã§ãããbind-mountã¯äœ¿çšã§ããŸãã
解決- 2ã€ã®ç°ãªãç»åã®2ã€ã®ã³ã³ããã¯åãããªã¥ãŒã ãå ±æããããã
äž¡æ¹ã®ç°ãªããŠãŒã¶ãŒ/ã°ã«ãŒãããŒã¿ããŒã¹- ããšãã°ãã¢ã¯ã»ã¹æš©www-dataãå¿ èŠã§ãïŒã€ãŸããæå·åããŸãããïŒ
蚌ææžããŠã³ããŒããŒïŒ- ãã1ã€ãwww-dataïŒã€ãŸãnginxïŒã䜿çšããŸã
- ãããã3çªç®ã®ãã®ã¯ãŠãŒã¶ãŒopenldapïŒããªãã¡openldapïŒããã®ã¢ã¯ã»ã¹ãå¿ èŠãšããŸã
ãµãŒãïŒ- ãšãŠãåçŽãªchmodã解決çã§ã¯ãããŸãã
ã€ãŸãããã¡ã€ã³ã®SSL蚌ææžãååŸããWebãµãŒããŒããããŸã
ç§ãæãåããã¡ã€ã³ã®encrptãšOpenLDAPãµãŒããŒãã
蚌ææžãåå©çšããŸãããŸã£ããåãåé¡ãçºçããä»ã®çµã¿åããããããŸãã
ä»»æã®ã¢ã€ãã¢ãããã解決ããæ¹æ³ã¯ïŒ
â
ããªããèšåãããã®ã§ãããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/2259#issuecomment-357267193 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AAwxZgyvdCwGGVkUqCxK9nDFw1zxSKjUks5tJ3kXgaJpZM4BGxv9
ã
-
矀ãããªããŠããdockerïŒbind-mountã§è§£æ±ºã§ããŸããã
CAP_ADDããªããããããã¯Docker-Swarmåºæã®åé¡ã§ãã
@mwaeckerlinãã€ã³ãããŠã³ãã¯ãç°ãªããŠãŒã¶ãŒIDã«ãããã§ããŸããã
ãããã矀ãã§ãããŠã³ãããã€ã³ãã§ããŸã....ãªãCAP_ADDãå¿
èŠãªã®ã§ããïŒ
CAP_ADDããªããšãDockerå ã®ããŠã³ãã¯å€±æããŸãã
ããããã³ã¡ã³ããæžãããšã§ãå¯èœãªè§£æ±ºçãåŸãããŸããããæ®å¿µãªãããäž¡æ¹ã®ç»åã®Dockerfile
ãå€æŽããå¿
èŠããããããã©ã€ãã©ãªããã®ä»ã®ãµãŒãããŒãã£ã®ç»åã§ã¯æ©èœããŸããã
@mwaeckerlinãªãã³ã³ããå ã«ããŠã³ãããå¿ èŠãããã®ã§ããïŒ
Dockerãªãã·ã§ã³-v
ã§ãŠãŒã¶ãŒ/ã°ã«ãŒããæå®ã§ããªãããã
äžèšã§æå®ãããã¢ã€ãã¢ã¯æ¬¡ã®ãšããã§ããã³ã³ããå ã«ãã€ã³ãããŠã³ãããŠãããã¿ãŒã²ããã«chownããŠãœãŒã¹ãå€æŽããªãã§ãã ããã
@mwaeckerlinå€æŽãããšãã©ãã§ãå€æŽãããŸãã ããããã®åé¡ã®åé¡ã®æ žå¿ã§ãã
ãã€ã³ãããŠã³ãããããã¡ã€ã«/ãã£ã¬ã¯ããªãChowning / Chmodingãããšãäž¡æ¹ã®å Žæãå€æŽãããŸãã
ãŸããã³ã³ããå
ã«ããŠã³ãã§ããå¿
èŠã¯ãããŸãã--mount type=bind,source=/foo,target=/bar
ã¯ããDockerã®å€ã§ãã¹ãããã°ãããªã®ã§ãäžèšã®èãæ¹ã¯ééã£ãŠããŸãã
Dockerã§ããèŠãããäž»ãªåé¡ã¯ããŠãŒã¶ãŒãã°ã«ãŒããç°ãªãã€ã¡ãŒãžã§åäžã§ã¯ãªãããšã§ããäž¡æ¹ã«åããŠãŒã¶ãŒåãŸãã¯ã°ã«ãŒãåãååšããå Žåã§ããIDãç°ãªãããšããããããŸãã
ããã§ã¯ããã®ãããªãã®ãå°ãªããšãå Žåã«ãã£ãŠã¯åœ¹ç«ã¡ãŸãïŒ --mount type=bind,source=/foo,target=/bar,user=me,group=mine
ãã®ãããã¯ã«é¢ããæšå¥šäºé ãŸãã¯ãã¹ããã©ã¯ãã£ã¹ïŒdocker swarmã®ããŸããŸãªã€ã¡ãŒãžã®ããŸããŸãªãŠãŒã¶ãŒã«ããå ±æããªã¥ãŒã ãŠãŒã¶ãŒïŒ
ãã€ã³ã4ã«ã€ããŠè©³ããæããŠãã ããã
ããããããããæ¹æ³ã«ã€ããŠã®å®éçãªäŸïŒ
2018幎1æ12æ¥éææ¥ã17ïŒ27 Brian Goffã notifications @ github.comã¯æ¬¡ã®ããã«æžããŠããŸãã
>>
- ããªã¥ãŒã ãå ±æããªãã§ãã ãã
- uid / gidsãåæããŸã
- å ±æããŠãããã¹ãŠã®ãŠãŒã¶ãŒã«å¯ŸããŠååãªæš©éãèš±å¯ãããŠããããšã確èªããŸã
- ãã¹ãã®ãã¥ãŒãºããŠã³ãã䜿çšããŠãããããã®ç°ãªãuid / gidã«ãã€ã³ãããŸã
容åšâ
ãã®ã¹ã¬ããã«ãµãã¹ã¯ã©ã€ãããŠããããããããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/moby/moby/issues/2259#issuecomment-357282169 ããŸãã¯ãã¥ãŒã
ã¹ã¬ãã
https://github.com/notifications/unsubscribe-auth/AHSjvgjb0BFbJhZ1VWM-pLGfa7tRBvDNks5tJ4VPgaJpZM4BGxv9
ã
https://bindfs.org/ã®ãããªãã®ã䜿çšããŸã-ãã§ã«ãããå®è£ ããŠããDockerããªã¥ãŒã ãã©ã°ã€ã³ãå°ãªããšã1ã€ãããŸãïŒhttps://github.com/lebokus/docker-volume-bindfsã¯Googleã§æåã«èŠã€ããçµæã§ãïŒ ã
ããªã¥ãŒã ãããŠã³ãããåŸã«æš©éãå€æŽã§ããŸãããã誰ãããããååŸããŸããïŒ
åé¿çïŒ
ãããDockerfileã«è¿œå ããRUN echo "if [ -e container_volume_path ]; then sudo chown user_name container_volume_path; fi" >> /home/user_name/.bashrc
ããªã¥ãŒã ãããŠã³ããããåŸã container_volume_pathã®æææš©ãå€æŽãããŸãã
uidãšgidããããã³ã°ã§ããããšã¯ãDockerããªã¥ãŒã åŠçã«äžæè°ãªæ¬ èœèŠçŽ ã®ããã«èŠããŸãã é©ãæå°ã®ååã¯ãããå«ããããšã§ãããææ¡ãããä¿®æ£ã¯äžæ Œå¥œã§çºèŠãå°é£ã§ããããã¹ããã©ã¯ãã£ã¹ã®å©ç¹ã¯ãããŸããã
åïŒ
1ïŒããªã¥ãŒã ãå
±æããªãã§ãã ãã
@colbygk
åçŽãªãããã³ã°ã§ããå¯èœæ§ãããå Žå
ãããåé¡ã§ããvfsã¬ã€ã€ãŒã§ã¯ãµããŒããããŠããªãããããåçŽãªãããã³ã°ããå®è¡ããããšã¯ã§ããŸããã
äžéšã®ãã¡ã€ã«ã·ã¹ãã ïŒbindfsãnfsãªã©ïŒã¯æææš©ããããããæ©èœãæäŸããŸãããäžè¬çãªã±ãŒã¹ã§ãããå®è£
ããããšã¯çŸåšäžå¯èœã§ãã
å ±æããªã¥ãŒã ãå¿ èŠã§ããããšãã°ã次ã®ãããªç¶æ³ã§ãã
å ±æ蚌ææž
解決çïŒã€ã¡ãŒãžã³ã³ãã2ã¯ã³ã³ãã1ãšåãã€ã¡ãŒãžãç¶æ¿ããå ±éã®ããŒã¹ã€ã¡ãŒãžã¯å ±éã®ã°ã«ãŒããäœæããäž¡æ¹ã®ã³ã³ãããåãã°ã«ãŒãã¢ã¯ã»ã¹ãæã¡ãŸã
å
±éããŒã¹ã®Dockerfile
ïŒ
RUN groupadd -g 500 ssl-cert
ç»åãæå·åããŠã¿ãŸãããïŒ letsencrypt-config.sh
ïŒ
chgrp -R ssl-cert /etc/letsencrypt
mwaeckerlin / reverse-proxyã®Dockerfile
ïŒ
RUN usermod -a -G ssl-cert www-data
mwaeckerlin / openldapã®Dockerfile
ïŒ
RUN usermod -a -G ssl-cert openldap
ããã§ãããŸãã
ãããã¯ãã¹ãŠããšã³ããªãã€ã³ããŸãã¯ãã«ãããã»ã¹äžã«userpermsãå€æŽããŠãDockerå šäœãå¥ã®ãŠãŒã¶ãŒã§å®è¡ããæ¹æ³ã瀺ããŠããŸãã
ããããéå»3æ¥éãŠã§ããæ€çŽ¢ããåŸã倧ããªãã€ã³ããèŠéããŠãããããããŸããã
äžèšãŸãã¯ãã®ä»ã®æ¹æ³ã§ãªã³ã¯ãããæšå¥šäºé
ããã³ïŒåé¿çïŒã¯ããããã®æ¹æ³ã§ãæ©èœããŸããã
ã³ã³ããã«ããŠã³ãããããã¹ãŠã®ããªã¥ãŒã ã¯ãåžžã«ã³ã³ããå ã®rootïŒrootã«ãã£ãŠææãããŸãã UID / GIDãäžèŽãããã¹ãã®ææè ãäºåã«å€æŽãããã©ããã¯é¢ä¿ãããŸããã
ç§ã®èŠ³ç¹ãããããšãéåžžã«åºæ¬çãªããšãããããšããŠæãã§ãããšããæèŠã倱ãããšã¯ã§ããŸããã
ããã¥ã¡ã³ãã«ãŒãããã¹ãã«ããŠã³ããããŠãããã¬ãŒã³ãªapache2ã³ã³ãããŒãèµ·åããããšããŠããã®ã§ãdockerã³ã³ãããŒã§ããã«ãã¹ãããªããphpãœãŒã¹ã³ãŒãã§éçºã§ããŸãã
root<strong i="16">@win10</strong>:# docker run --rm -v /c/Users/<MyUser>/Development/www-data:/var/www/html -it httpd:2.4 /bin/bash
Dockerã³ã³ããå
ã§ã¯ãdirectoy _ / var / www / html_ã¯åžžã«_root ïŒroot_ã«ãã£ãŠææãããŠãããããç§ã®phpã¢ããªã¯fopenãããããã®ãã©ã«ããŒå
ã®ããŒã¿ãæžã蟌ãã ãããããšã¯ã§ããŸããã
ãŸã äœãæ©èœããŠããŸãã... :(
é©åºŠã«ãšã¬ã¬ã³ããªè§£æ±ºçãæ¢ããŠãã人ã¯ã @ elquimistaãããã§ææ¡ãããã®ããã§ãã¯ããŠãã ããã ç§ã¯ããããã¹ãããããŸãæ©èœããŠããŸã
éãè¯ããã°https://github.com/boxboat/fixuid#specify-paths-and-behavior-across-devicesã䜿çšããŠããŸãã ããã«ããã¹ãäžã®ãŠãŒã¶ãŒãšäžèŽããããã«ã³ã³ãããŒå ã«ãŠãŒã¶ãŒãèšå®ããŸãã
ç»åã®æ§æäŸã次ã«ç€ºããŸãã
$ cat /etc/fixuid/config.yml
user: lion
group: lion
paths:
- /home/lion
- /home/lion/.composer/cache
- /tmp
å®è¡ããã«ã¯ïŒ
$ docker run --rm -it --init \
-u 1000:1000 \
-v `pwd`:/app \
-v "$HOME/.composer/cache:/home/lion/.composer/cache" \
--entrypoint='fixuid' \
php:7.2-cli \
/bin/bash
ããã¯ãUNIXã®ã¢ã¯ã»ã¹èš±å¯ãšæææš©ããµããŒãããŠããªãã¹ãã¬ãŒãžã·ã¹ãã ã䜿çšããå Žåã«ãåä»ã§ããããšã«æ³šæããŠãã ããã ãã®å Žåãã¹ãã¬ãŒãžã®ããŠã³ãã¯ããã¡ã€ã«ãchownããããšãããšå€±æãããããã³ã³ãããŒå ã§äœ¿çšããããã®æ£ããuidãååŸããããã«å®è¡ããå¿ èŠããããŸãã ã³ã³ããã®å€éšã®æææš©ã«é¢ä¿ãªããç¹å®ã®uidã«ãã£ãŠææãããŠãããã®ãšããŠãã¡ã€ã«ãæ瀺ããããã«dockerã«æ瀺ããæ¹æ³ãããã°ãç©äºãåçŽåãããŸãã
@tlhonmey
ç¹å®ã®uidãææãããã¡ã€ã«ãæ瀺ããããã«dockerã«æ瀺ããæ¹æ³ããã£ãå Žå
ã«ã¹ã¿ã ãã¡ã€ã«ã·ã¹ãã ïŒbindfsãªã©ïŒããªãããã§ã¯ãããŸããã
@tlhonmeyãããç§ã¯ããã€ãã®ã·ã³ããªãã¯ãªã³ã¯ã§ãUNIXããŒããã·ã§ã³ããµããŒãããªãã¹ãã¬ãŒãžã·ã¹ãã ãã®åé¡ãåé¿ããããšãã§ããŸããã
åºæ¬çã«ãNTFSãã©ã€ãããããŠã³ãããå Žåã¯ã -v ./HostNtfsStuff:/data/ntfsMount
ã«å
¥ããŠãããã·ã³ããªãã¯ãªã³ã¯ãäœæãããã®ln -s -T /data/ntfsMount /var/lib/myApp && chown -Rh myApp:myApp /var/lib/myApp/
ãchownããŸãã
ããªãããã¹ãããããšãã§ããŸãïŒ su myApp -c 'echo foo > /var/lib/myApp/bar' && cat /data/ntfsMount/bar
ç§ã䜿çšããã®ã¯ãWindowséçºè ãMySQLã³ã³ãããŒãå®è¡ããããŠã³ããããããªã¥ãŒã ã«æ°žç¶åã§ããããã«ããããšã§ããããå€ãã®ã¢ããªã«é©çšãããŸãã
ãããã£ãŠã解決çã¯ãäžé£ã®uidïŒgidãã¢ãæåã§ç®¡çãããããããã¹ããŸãã¯ãã«ããŒã¹ã¯ãªããã§è¡çªããªãããšãæåŸ ããããšã§ãããŸãã¯ã次ã®ããã«ããŸãã
ãããæ©èœãããæ¹æ³ã¯1ã€ãããŸãããDockrfileå ã§äºåã«æºåããå¿ èŠããããŸãã
RUN mkdir -p /var/lib/redis ; chown -R redis:redis /var/lib/redis VOLUME ["/var/lib/redis"] ENTRYPOINT ["usr/bin/redis-server"] USER redis
ïŒç§ã¯ãã®äŸããã¹ãããŸããã§ãããã¯ãã ã³ã³ããã§äœæ¥ããŠããŠãããã_separate_X11ã³ã³ããã«è¡šç€ºãããŸã....ïŒ
ã³ã³ããããªã¥ãŒã ããã€ã³ãããŠã³ãããããšãããšãã«å£ããä»æ¥ãŸã§ãæåŸã®ææ³ã䜿çšããŠããŸããã ã©ãããããªãã¯ãããè¡ãããšã¯ã§ããŸããã ããªã¥ãŒã ã¯rootãšããŠäœæãããå éšã®ã¢ããªã¯ãŠãŒã¶ãŒãšããŠããªã¥ãŒã ã«æžã蟌ãããšãã§ããŸããã VOLUMEããã¥ã¡ã³ãã§èª¬æãããŠããèªåå ¥åã¯ããã€ã³ãããŠã³ãã§ãæ©èœããªãããã§ãã
ç§ã¯ãããDockerfileã®ãã¹ããã©ã¯ãã£ã¹ãèªãã§ããã®ãèŠãŸããããã«ããŒã¹ã¯ãªããã¯åœŒããæšå¥šãããã®ã§ãã
#!/usr/bin/env bash
set -e
if [ "$1" = 'postgres' ]; then
chown -R postgres "$PGDATA"
if [ -z "$(ls -A "$PGDATA")" ]; then
gosu postgres initdb
fi
exec gosu postgres "$@"
fi
exec "$@"
ãããã£ãŠãååž°çãªchownã䜿çšããŠããã¹ãŠã®èµ·åæã«æææš©ãããããšã確èªããŠããããŠãŒã¶ãŒãšããŠã¢ããªãå®è¡ããŸãã exec
ãPID 1ã匷å¶ãããããä¿¡å·ãæ©èœããŸãã ãŸããçµæã®ããŒã¿ã§ã³ã³ããã®å€éšã§äœ¿çšãããã«ããŒã¹ã¯ãªããã®ãããªãã®ãããªã¥ãŒã ã«è¿œå ããå Žåã¯ããããããã«ããŒã¹ã¯ãªããã«ãå«ããå¿
èŠããããŸãã ãã ããã¢ããªãããªã¥ãŒã ã«å€§éã®ãã¡ã€ã«ãä¿åããŠããå Žåãç¹ã«ã¹ãã¬ãŒãžãããŒã«ã«ã§ãªãå Žåãã³ã³ããã®èµ·åã«ããã©ãŒãã³ã¹ã®åœ±é¿ããããã©ããçåã«æããŸãã
ããè¯ã解決çãããããã§ãã ã³ã³ããã®uidãšgidãããã¹ãäžã®æå®ããããŠãŒã¶ãŒåãšã°ã«ãŒãã®ãã®ã«ãããã³ã°ãããããªãã®ãããããŸããã Dockerã¯ã³ã³ããã®/ etcãèŠããŠããããç解ã§ããã§ããããïŒ
å°ãªããšããã¥ãŒãºãªãã§ã¯ããã¡ã€ã«ã·ã¹ãã ã¬ãã«ã§uid / gidsããããããããšã¯ã§ããŸããã
å°ãªããšããã¥ãŒãºãªãã§ã¯ããã¡ã€ã«ã·ã¹ãã ã¬ãã«ã§uid / gidsããããããããšã¯ã§ããŸããã
ã¡ãã£ãšæãã£ãã§ãã Dockerããã®ãããªãã¥ãŒãºã䜿çšããå Žåã®ããã©ãŒãã³ã¹ã®äœäžã¯ã©ããªãã§ããããïŒ
@mdegans
ãããã£ãŠããã¹ãŠã®éå§æã«æææš©ãæã£ãŠããããšã確èªããããã®ååž°çãªchownã
éå§ãããã³ã«chown
ãå®è¡ããå¿
èŠã¯ãããŸããã 代ããã«ãããŒã¿ãã£ã¬ã¯ããªã®ææè
ã確èªããæ£ãããªãå Žåã«ã®ã¿ååž°çãªchown
ãå®è¡ããŠãã ããã ãã®ãããªïŒ
[ $(stat -c %U "$PG_DATA") == "postgres" ] || chown -R postgres "$PG_DATA"
ãããã£ãŠãçæ³çã«ã¯ãããã¯æåã®èµ·åæã«ã®ã¿çºçããŸãã
ãŸãããã®ãããªãšã³ããªãã€ã³ãã¹ã¯ãªããã䜿çšããŠã³ã³ãããå®è¡ããå Žåã¯ãååã«æ³šæããŠãã ããã ããŒã ãã£ã¬ã¯ããªãã³ã³ããã«ããŠã³ããããšïŒããšãã°ïŒããã¹ãŠã®ãã¡ã€ã«ãpostgresã«å€æãããŸã
åªããDockerã€ã¡ãŒãžã®èšèšã§ã¯ãã©ã³ã¿ã€ã ãŠãŒã¶ãŒã¯rootã§ã¯ãªãããã chown
ãã¡ã€ã«ã䜿çšã§ããŸããâŠïŒ
åªããDockerã€ã¡ãŒãžã®èšèšã§ã¯ãã©ã³ã¿ã€ã ãŠãŒã¶ãŒã¯rootã§ã¯ãªãããããã¡ã€ã«ãchownã§ããŸããâŠïŒ
æ£è§£ã§ããã root
ãšã®éã®åãæ¿ããåæ¢ãããã®ã¯ãªãã¯ãã§ããããã¯ãå€ãã®å Žåå¿
èŠã«ãªããŸã...éåžžãå¿
èŠã«ãªããŸã§root
ãšããŠäœããå®è¡ããã¹ãã§ã¯ãªãã®ãšåãããã«ããã ããããããå Žåã¯ã次ã®1ã€ä»¥äžãå®è¡ã§ããŸãã
sudo
su
USER root
ã«ãããšïŒ https ïŒ//f1.holisticinfosecforwebdevelopers.com/chap03.html#vps -countermeasures-docker-the-default-user-is-root
ç§ã®è¬èãªæèŠã§ã¯ãDockerã€ã¡ãŒãžã®ãŠãŒã¶ãŒããããŠã³ããããããªã¥ãŒã ã®æš©éãæ£ããèšå®ãããã©ããã確èªããå¿ èŠããããŸãã
ããã¯ãã³ã³ãããç»å Žããåã«åŸæ¥è¡ã£ãŠããããšãšéåžžã«ãã䌌ãŠããŸããããšãã°ãnginxãå®è¡ããããšãã«ãéçHTMLãã£ã¬ã¯ããªãé©åãªãŠãŒã¶ãŒã«ãã£ãŠææãããŠããããšã確èªããå¿ èŠããããŸããã nginx.confãã¡ã€ã«ãéãå¿ èŠãããããšãç¥ãããã«ãã¯ãŒã«ãŒã®ãŠãŒã¶ãŒã確èªããããã«å¿ããŠã¢ã¯ã»ã¹èš±å¯ãèšå®ããŸãã å®éãããã¯ãã¹ãŠnginxã®ããã¥ã¡ã³ãã«èšèŒãããŠããŸãã
ããã¯åãªãUnixæš©éã®åé¡ã§ãããããã§ã®Dockerã®æ°ããããšã¯äœããããŸããã ãããã£ãŠããããããã®åé¡ã®è§£æ±ºçã¯ãããŠã³ããããããªã¥ãŒã ã®æææš©ãã©ãããã¹ããã«ã€ããŠã®åDockerã€ã¡ãŒãžã®ããè¯ãããã¥ã¡ã³ãã§ãã ãã£ã¬ã¯ããªãæ£ããæææš©ãæã£ãŠããããšã確èªããnginxèµ·åããŒã¢ã³ãæãåºããŸãããæ£ããèšå®ãããŠããªããšãåã«å€±æããŸãã
ãã ããããã¯äºå®ã§ããããã¯ãã³ã³ãããŒã®å€éšã§ã¯ãªãå
éšã§ãŠãŒã¶ãŒãå®çŸ©ãããå¯èœæ§ããããããå€èŠ³ãç°ãªãïŒå®éã¯ããã§ã¯ãªãïŒããã§ãã ãã ããUIDã®å
éšãšå€éšã¯åçã§ãããããUID 2000ã®ãŠãŒã¶ãŒfoobarã¯ãå€éšã§ã¯ãªãã³ã³ãããŒã®å
éšã«ååšããå¯èœæ§ããããŸãããUID2000ã¯å€éšã®ãã¡ã€ã«ãšãã£ã¬ã¯ããªã«èšå®ã§ããŸãã 以åæ±ã£ãŠãã人éã«ããããããååã§ã¯ãªããUID / GIDã®èŠ³ç¹ããèãæ¹ãå€ããå¿
èŠããããŸãã
ãŸãã2人ã®ç°ãªãäœæè
ã«ãã£ãŠäœæããã2ã€ã®ã³ã³ãããŒéã§ããªã¥ãŒã ãå
±æããå¿
èŠãããå Žåã¯ãäºæ
ãããââã«å°é£ã«ãªãå¯èœæ§ããããŸãã åŸæ¥ã®Unixã·ã¹ãã ïŒãŠãŒã¶ãŒãã°ã«ãŒããªã©ïŒã䜿çšããŠã¢ã¯ã»ã¹èš±å¯ãèšå®ããã ãã§ã¯ãåé¡ã解決ã§ããªãå¯èœæ§ããããŸãïŒäžè¬çãªUIDãŸãã¯GIDã¯ãããŸããïŒã ç§ã¯Dockerã䜿çšããŠããã®ã§ãPOSIXACLãããå€ã䜿çšããŠããããšãèªããŸãã ãããã£ãŠãåããã¡ã€ã«ã«3人ã®ç°ãªããŠãŒã¶ãŒæš©éãå²ãåœãŠãããšãã§ããŸãã ããšãã°ãrwæš©éãæã€ã³ã³ããã©ã€ã¿ãŒãræš©éãæã€ã³ã³ãããªãŒããŒãræš©éãæã€ãã¹ããŠãŒã¶ãŒã
ãã1ã€ã®ãªãã·ã§ã³ïŒå ±æãã£ã¬ã¯ããªã«setgidãã©ã°ã䜿çšããŠãå ±éã®GIDãé©çšã§ããŸãã ãã¡ã€ã«ãã¹ã¯ã¯ãACLã䜿çšããŠé©çšã§ããŸãã
Dockerã³ã³ãããŒã§äœããè¡ãåã«ã以äžãå®è¡ããŸãã
`` `
umask 0000
`` ``
ãã®ã¹ã¬ããã«é ããŠç«ã¡å¯ã£ãŠããã®æ©èœãã©ãã»ã©åœ¹ç«ã€ããå確èªããŠãã ããã
æ£çŽãªãšãããç§ã¯çŽ1幎åããã³ã³ãããå±éããŠããŸãããããããè³ãæã§æ·±å»ãªåé¡ã«ãªã£ãŠãããšæããŸãã ããã§ããã®ã¬ãã«ã§ãœãªã¥ãŒã·ã§ã³ãæäŸããããšã¯ãå¯äžã®è³¢æãªéžæã®ããã«æãããŸãã
çŸåšã®ãšãããããªãã®æ°ã®Dockerã€ã¡ãŒãžããšã³ããªãã€ã³ããroot
ãšããŠå®è¡ãç¶ããããšãéžæãããããã¢ããªã±ãŒã·ã§ã³ããã»ã¹ãå®è¡ããåã«ããã£ã¬ã¯ããªãšãã¡ã€ã«ã®ã¢ã¯ã»ã¹èš±å¯ãããŒãã¹ãã©ããããŠç¹æš©ãåé€ããããšããã§ããŸããã
誰ãããã®æ £ç¿ã«é Œãããšãã§ããããã§ã¯ãªãããšã«æ°ä»ãããšãã«ãæ¬åœã®åé¡ãçŸããŸãã KubernetesãOpenShiftãªã©ã®äžéšã®äžè¬çãªãã©ãããã©ãŒã ã§ã¯ããããã®ç°å¢ã®äžéšã¯ãç¹æš©ã³ã³ãããŒãèš±å¯ããªãããã«æ§æãããŠããå ŽåããããŸã...ã»ãã¥ãªãã£ã®ããã 倧èŠæš¡ãªéèæ©é¢ãããã®çš®ã®å¶éãªãã«æ©å¯æ å ±ãåŠçããã³ã³ãããã©ãããã©ãŒã ã®æ¡çšãã©ã®ããã«æ€èšãããã¯ãé ã®äžã§ããããŸããã
_entrypoint-as-root_ãã©ã¯ãã£ã¹ã«ãã£ãŠæèµ·ãããã»ãã¥ãªãã£äžã®æžå¿µã«ãããå€æ°ã®Kubernetesãã«ã ãã£ãŒããinitContainers
ãæäŸããã¢ããªã±ãŒã·ã§ã³ã³ã³ãããèµ·åããåã«chown
ããã³chmod
ããªã¥ãŒã ãæäŸã§ããããã«ãªããŸããã ã ããã¯è¯ãæ¹æ³ã®ããã«æãããããããŸããããç§ããããèšããšãã¯ç§ãä¿¡ããŠãã ããïŒããã§ã¯ãããŸããã
ç¹ã«ãã«ã ãã£ãŒãã«ã¯ãã¢ããªã±ãŒã·ã§ã³ã©ã³ã¿ã€ã ããå¯ãã«ãªããã³ã°ããå¿
èŠããããããããŒãã³ãŒãããuids
ãšgids
ãæ£ãã°ã£ãŠããŸãã ãã®æ
å ±ã¯ã³ã³ããå
ã«é ãããŠãããå±éäžã«ããã«å©çšã§ããããã§ã¯ãããŸããã
ãã®åé¡ãåé¿ããæ¹æ³ã¯ããã€ããããŸãããããã¯_ç©äºãæ©èœãããããã®ããã¯_ãšããŠãå±éæ§æå šäœãæ©ãŸãç¶ããŠããŸãã ããã«ãã£ãŠåœ±é¿ãåããå±éã®æ°ã¯æ¥éã«å¢å ããŠããã人ã ãé Œã£ãŠããææ³ã¯ãã³ã³ãããŒãããŒãã«ã«ããããä»ã®ãã¹ãŠã®å©ç¹ãšã¯å察ã§ãã
ãããOCIä»æ§ã®äžéšãšããŠå®è£ ããŠãDockerã«äŸåããä»ã®ãœãªã¥ãŒã·ã§ã³ãããã䜿çšããŠãå®å šã«èªååããããããã€ã¡ã³ãããšã¬ã¬ã³ãã«æäŸã§ããããã«ããæ¹æ³ãããããšãé¡ã£ãŠããŸãã
ãããã£ãŠãåé¡ã¯æ¬¡ã®ããã«ãªããŸããã€ã³ã¿ãŒãããäžã®ä»ã®ã©ãã§å ±éã®OCIä»æ§ãéçºãããã®è°è«ãã©ãã§è¡ãã¹ããã ããããã®æ©èœãDockerã«çµã¿èŸŒãããã®æè¯ã®æ¹æ³ã§ã¯ãªããšä»®å®ããŸãïŒæçµçã«ã¯ãäžè¬çã«åæãããæšæºã®æ¡çšãå°æ¥ã«æºæ ãããããã®èŠä»¶ãéããŠïŒã
åé¡ãããèªäœã§å®å šã«ãªããªãããã§ã¯ãªãã解決çã«ã¯ããã€ãã®éåžžã«åºæ¬çãªçš®é¡ã®å€æŽãå¿ èŠã§ãã
ã¢ããªã±ãŒã·ã§ã³ã³ã³ãããèµ·åããåã«ããªã¥ãŒã ãchownããã³chmodã§ããinitContainersã ããã¯è¯ãæ¹æ³ã®ããã«æãããããããŸããããç§ããããèšããšãã¯ç§ãä¿¡ããŠãã ããïŒããã§ã¯ãããŸããã
FWIW; ãã®æ©èœã¯ããã¡ã€ã«ãè€æ°ã®åå空éïŒããã¹ããã«ååšãããã¡ã€ã«ïŒä»¥åïŒããŸãã¯ç°ãªããŠãŒã¶ãŒãšããŠå®è¡ãããŠããè€æ°ã®ã³ã³ãããŒéã§å ±æãããå ±éã®ãã¡ã€ã«ã®å ŽæïŒéã§å ±æãããç¶æ³ã§ã®ã¿å¿ èŠã«ãªããŸãã ãã¡ã€ã«ããã¹ãäžã«äºåã«äœæãããŠããç¶æ³ã§ã¯ãã³ã³ãããŒãšå ±æããåã«ããããã®ãã¡ã€ã«ãæ£ããæææš©ãšã¢ã¯ã»ã¹èš±å¯ãæã£ãŠããããšã確èªããããšã§ãããã軜æžã§ããŸãã äºå®äžãããã¯ïŒããšãã°ïŒãã¹ãã§nginxãå®è¡ããWebã«ãŒãå ã®ãã¡ã€ã«ã«æ£ããã¢ã¯ã»ã¹èš±å¯ãããããšã確èªããããšãšäœãå€ããã¯ãããŸããã
å¥ã®ãŠãŒã¶ãŒãšããŠå®è¡ãããŠããã³ã³ãããŒéã§å
±æããå Žåã¯ãåãuid
ïŒãŸãã¯gid
ïŒã§äž¡æ¹ã®ã³ã³ãããŒãå®è¡ãã2ã€ãå®è¡ããå Žåãšåæ§ã«ãæ£ããã°ã«ãŒãæš©éãèšå®ããŸããåããªãœãŒã¹ã«ã¢ã¯ã»ã¹ããå¿
èŠãããã³ã³ããåãããŠããªãããã»ã¹ïŒã
ãããã®ç°å¢ã®äžéšã¯ãç¹æš©ã³ã³ãããèš±å¯ããªãããã«æ§æãããŠããå ŽåããããŸã...ã»ãã¥ãªãã£ã®ããã§ãã 倧èŠæš¡ãªéèæ©é¢ãããã®çš®ã®å¶éãªãã«æ©å¯æ å ±ãåŠçããã³ã³ãããã©ãããã©ãŒã ã®æ¡çšãã©ã®ããã«æ€èšãããã¯ãé ã®äžã§ããããŸããã
æ··ä¹±ãé²ãããã ãã«ã root
ãšããŠå®è¡ãããŠããã³ã³ããã¯ããç¹æš©ãã³ã³ããïŒ --privileged
ãŸãã¯--cap-add
ã»ãããªã©ã®ãªãã·ã§ã³ïŒãšåãã§ã¯ãããŸããã ç¹æš©ïŒ --privileged
ïŒã³ã³ãããŒã¯éåžžã«å®å
šã§ã¯ãããŸãããã root
ãšããŠå®è¡ãããŠããã³ã³ãããŒã¯å®å
šã«å«ãŸããŠããããã¬ãŒã¯ã¢ãŠãã§ããŸããã ãã€ã³ãããŠã³ãããããã¡ã€ã«/ãã£ã¬ã¯ããªãæž¡ããšãããã«ç©ŽãéããŠããŸãããããã€ã³ãããŠã³ããšããŠæž¡ããã¡ã€ã«/ãã£ã¬ã¯ããªã«ã¢ã¯ã»ã¹ã§ããããã«ãªããŸãã
ç¹ã«ãã«ã ãã£ãŒãã«ã¯ãã¢ããªã±ãŒã·ã§ã³ã©ã³ã¿ã€ã ããå¯ãã«ãªããã³ã°ããå¿ èŠããããããããŒãã³ãŒããããuidãšgidãæ£ãã°ã£ãŠããŸãã ãã®æ å ±ã¯ã³ã³ããå ã«é ãããŠãããå±éäžã«ããã«å©çšã§ããããã§ã¯ãããŸããã
çåã«æãïŒãããã®uid / gidsãç¥ãããŠããªãå Žå; UXã¯ã©ã®ããã«ãªããŸããïŒ ïŒãã¹ãuid / gidãïŒäžæãªïŒcontainer-uid / gidã«ãããããããã«äœ¿çšãããããã³ã°uid / gidãæäŸããå¿ èŠãããããïŒ
ãããã£ãŠãåé¡ã¯æ¬¡ã®ããã«ãªããŸããã€ã³ã¿ãŒãããäžã®ä»ã®ã©ãã§å ±éã®OCIä»æ§ãéçºãããã®è°è«ãã©ãã§è¡ãã¹ããã
ïŒäžèŠïŒOCIä»æ§ã®å€æŽãå¿
èŠã ãšã¯æããŸããã ããã¯ãOCIä»æ§ã®ç¯å²å€ã§è§£æ±ºã§ããŸãã äž»ãªåé¡ã¯ãuid / gidããããããã¡ã«ããºã ãçŸåšã«ãŒãã«ã«ãªãããšã§ãïŒãŸãã¯ååšããŸãïŒ shiftfs
ãªã©ïŒããäžè¬çã«ã¯å©çšã§ããŸããïŒ
ããã¯ã責任ã®è²æž¡ã®å€å žçãªäºè§åœ¢ã§ã/ä»ã®èª°ãããã®åé¡ã解決ã§ããããŸãã¯è§£æ±ºããå¿ èŠããããŸãã ã©ã¡ããã§ãïŒ
åé¡ã¯ãã§ã«å¹æçã«è¿°ã¹ãããŠããŸãããŠãŒã¶ãŒã«ãããè¡ãããããšã¯ãäžæ Œå¥œã§å®å šæ§ãäœããšããããšã§ãã ãã ãããŠãŒã¶ãŒã«ç»åããšã®ãããã³ã°ãè¡ãããããšã«ããããã¯ãªã³å¹æãéèŠã§ãã
ã€ãŸããããŸããŸãªãŠãŒã¶ãŒã®ç»åãç°¡åã«çžäºéçšããããå ±æ/æ··åããŠå ±åäœæ¥ãããããããšã¯ã§ããŸããã ã ããããã¯ã©ã¡ããã§ãïŒ
root
ã䜿çšããããã«åŒ·å¶ããŸãã ããã¯ãç¹å®ã®å®å
šæ§ãäœãããã§ãã ãªããªããä»ã®æ¹æ³ã§ã¯æã£ãŠããã§ãããç¹æš©ææ Œä¿è·ã®äœåãªå±€ãåãé€ããŠããããã§ãã ãŸãããŠãŒã¶ãŒã¯æåããã³ã³ããå
ã«ãã§ã«root
å
¥ã£ãŠãããããã³ã³ãããã¬ã€ã¯ã¢ãŠãã®è匱æ§ãæªçšãããããªããŸãã åãã³ã³ããå
ã§ä»ã®ãµãŒãã¹ãå®è¡ã§ããããšã¯èšããŸã§ããããŸãããããã¯ãäžæããåã«æšªåãã«ç§»åãããã1ã€ã®æ¹æ³ã§ããããŸããã ããããã¯è²¿æã§ãã äžèšã¯çŸåšã®ãã¬ãŒããªãã§ãã äžèšã®ä»ã®ãšã³ãã£ãã£ã®1ã€ä»¥äžã«è²¬ä»»ãä»ã®å Žæã«ç§»ãã«ã¯ãããŸããŸãªãã¬ãŒããªããå¿ èŠã«ãªããŸãã
ãšããã§ããã¡ã€ã«ã·ã¹ãã ããŒã¹ã®ãœãªã¥ãŒã·ã§ã³ã詳ãã調ã¹ãããšã«é¢ããŠãã¹ãã€ããŒãªã³ã¯ã®ãæœåšçã«åœ¹ç«ã€å¯èœæ§ããããã³ã¡ã³ããèŠã€ããŸããã
https://github.com/docker/compose/issues/3270#issuecomment -365644540
ããã«ã¯ãåæ£ãã¡ã€ã«ã·ã¹ãã ïŒãLustreããšåŒã°ããïŒãZFSã«é¢ãããã®ä»ã®åé¡ãªã©ããã®åãäžè¬çãªæ©èœïŒä»ã®ãããžã§ã¯ã/å ŽæïŒãžã®ããã€ãã®ç°ãªãåç §ããããŸãã ãããšãç§ã¯ããŸããŸããã§ZFSã䜿çšããŠããŸãã
次ã«ãubuntu / launchpadã§åããã°ã®å¥ã®ã³ããŒãèŠã€ããŸããã åãZOLïŒ4177ã®åé¡ãåç §ããŠã
https://bugs.launchpad.net/ubuntu/+source/zfs-linux/+bug/1567558
ããã¯ãåé¡ã®ãã°ãzfsããŒãžã§ã³0.6.5.7 + SOã§ä¿®æ£ãããããšã瀺ããŠããŸãã ããã¯ãäœããã®æ¹æ³ã§uidãšgidãåãããã³ã°ããããã®ããçš®ã®ãããã³ã°ã¹ãã¢ãšããŠãzfsãšACLã䜿çšã§ããå¯èœæ§ãããããšãæå³ããŸããïŒ ããŠãããã¯ç§ã以åèããããšã®ãªããã®ã§ãã
ãã¶ãããã®ãœãªã¥ãŒã·ã§ã³ã¯LXCã³ã³ããã§ã®ã¿æ©èœããŸãã 圌ã¯ããã§ã®ã³ã¡ã³ãïŒLXCãããžã§ã¯ãã®ãªãŒããŒïŒã§ãèšã£ãŠããã®ã§ããç§ãã¡ã¯setuidãã«ããŒïŒnewuidmapãšnewgidmapïŒã䜿çšããŸãããããŠããã¯ãuidãšgidããããã»ããã¢ãããããããšãã§ããŸãã ããã§ãããããLXCèªäœã«ãããã€ãã®å¿ èŠãªã¡ã«ããºã ããããŸããããã§ãªããã°ãzfs aclséšåãå©çšã§ããŸãããïŒ ãŸãã¯å€åç§ã¯ééã£ãŠããŸãã ç§ã¯ããããã£ãšãã©ããŒããŠãããšã¯å®å šã«ã¯ããããŸããã
ãã1ã€ã®èå³æ·±ããªã³ã¯ãä»åã¯shiftfs
ã«ã€ããŠããããŠãã®æ©èœãoverlayfsã«åžåããå¯èœæ§ã«ã€ããŠã®è°è«ã ãã¡ãããããã¯dockerããã§ã«äœ¿çšããŠããåºç€ãšãªããã¡ã€ã«ã·ã¹ãã ã§ãã
ãã ããåãããã³ã°æ©èœãoverlayfs
ã«å®è£
ãããå Žåãåºç€ãšãªããã¡ã€ã«ã·ã¹ãã ã®ä»£ããã«zfs
ã¹ãã¬ãŒãžãã©ã€ããŒã䜿çšãããå Žåã¯ã©ããªããŸããïŒ ãã¡ã€ã«ã·ã¹ãã ããšã«å®è£
ãããŠããå Žåãuid / gidãåãããããæ©èœããé€å€ããå¿
èŠããããŸããïŒ ãŸãã¯ãäž¡æ¹ãå¥ã
ã«å®è£
ããããšã¯ã§ããŸããïŒ ç³ãèš³ãããŸããããDockerããŒã¢ã³ããã®ãããªåãããã³ã°ãèªèããå
±éã®APIãšãã©ã°ãæäŸããå¿
èŠããããã©ããã«ã€ããŠå°ãããããŸããïŒfsãã©ã€ããŒã¬ã€ã€ãŒã«æž¡ãããïŒã ãŸãã¯ã代ããã«ããã¹ãåŽïŒãã¡ã€ã«ã·ã¹ãã å
ãDockerã®å€éšïŒã§æåã§ãã®ãããªåãããã³ã°ãå®è¡ããå Žåã ãã®åŽé¢ãç§ã«ã¯å°ãäžæ確ãªãŸãŸã§ãã
[ç·šé]ãã£ãšããªã³ã¯ãå«ããã®ãå¿ããŸããïŒ ããã«ãããŸã
https://lists.linuxfoundation.org/pipermail/containers/2018-June/039172.html
ãã®åé¡ã¯ããªã¥ãŒã /ãã€ã³ãããŠã³ãã«é¢ãããã®ãªã®ã§ãã³ã³ããã®ãã¡ã€ã«ã·ã¹ãã ãšã¯å¥ã«
ãªãŒããŒã¬ã€ã«shiftfsæ©èœãçµã¿èŸŒãŸããŠããå Žåã¯ãbindmountã®uid / gidã·ãããé床ã«äœ¿çšããŸããããµããŒããããŠããªãã·ã¹ãã ã§ã¯ä»ã®äœãïŒãŸãã¯äœãïŒã«ãã©ãŒã«ããã¯ããå¿ èŠããããŸãã
Podmanã¯ãã«ãŒãã¬ã¹ã®Dockerããããã€ã³ä»£æ¿åã§ãhttps://www.youtube.com/watch?v=N0hSn5EwW8whttps://podman.io/ ã podmanã§ã¯ãrootã䜿çšãããªãããããŠãŒã¶ãŒæš©éãæ£ããåŠçãããŸãã ãã®åé¡ã®ãããç§ãã¡ã®ããŒã ã¯Podmanã«åãæ¿ããéåžžã«ããŸãæ©èœããŸããã
ããã¯æå³ããããŸããã
åãåé¡ãåœãŠã¯ãŸããŸãã
dockerã«ã¯ã«ãŒãã¬ã¹ã¢ãŒããããããšã«æ³šæããŠãã ããã
次ã®ã³ãã³ãã§Podmanããã¹ãã§ããŸãã Podmanã«ã¯Dockerãšã¯ç°ãªããåå¥ã®ããŒã¢ã³ããªãããã¹ãŠãpodman
ã³ãã³ããå®è¡ãããŠãŒã¶ãŒã®äžã§å®è¡ãããŸãã ãããã£ãŠãpodmanå
ã§äœæããããã¡ã€ã«ã¯ã podman run ...
ã³ãã³ããå®è¡ãããŠãŒã¶ãŒãææããŸãã
kkimdev<strong i="8">@ubuntu</strong>:~$ mkdir podman_test
kkimdev<strong i="9">@ubuntu</strong>:~$ ls -agh podman_test
total 8.0K
drwxrwxr-x 2 kkimdev 4.0K Jun 27 04:23 .
drwxr-xr-x 8 kkimdev 4.0K Jun 27 04:23 ..
kkimdev<strong i="10">@ubuntu</strong>:~$ podman run --rm -it -v ~/podman_test:/podman_test alpine
/ # cd /podman_test/
/podman_test # touch test_file
/podman_test # ls -agh
total 8K
drwxrwxr-x 2 root 4.0K Jun 27 02:24 .
drwxr-xr-x 20 root 4.0K Jun 27 02:24 ..
-rw-r--r-- 1 root 0 Jun 27 02:24 test_file
/podman_test #
kkimdev<strong i="11">@ubuntu</strong>:~$ ls -agh podman_test/
total 8.0K
drwxrwxr-x 2 kkimdev 4.0K Jun 27 04:24 .
drwxr-xr-x 8 kkimdev 4.0K Jun 27 04:23 ..
-rw-r--r-- 1 kkimdev 0 Jun 27 04:24 test_file
ããã¯podman
ã宣äŒããã®ã«é©åãªå Žæã§ã¯ãããŸããããã®åé¡ã®è§£æ±ºã«åœ¹ç«ã€å
·äœçãªæè¡çãªè©³çŽ°ãã©ã®ããã«æ©èœãããã«ã€ããŠã®è©³çŽ°ãããå Žåã¯ãç¹ã«åé¡ã®æœåšçãªè§£æ±ºçãšããŠãããããè°è«ããããšãé©åã§ããçŸåšã³ã¡ã³ãããŠããŸãã ãããŸã§ã®ãšãããããã¯ããã§ã¯ãããŸããã®ã§ããã®è°è«ãä»ã®å Žæã§è¡ã£ãŠãã ããã
podman
ã®ã¢ãŒããã¯ãã£ãDockerãšã¯å€§ããç°ãªãããããã®åé¡ã®æ·±å»åºŠãåé¡ã軜æžããããããDockerããã®1ã€ã®åé¡ã解決ããããã ãã«åäœæ¹æ³ãå®å
šã«å€æŽããããšã¯ã§ããŸããã Dockerããã®ããã«æ§é åãããŠããçç±ã¯ããããããããã®æŽå²ããã¹ãŠç¡èŠããã®ã¯ççŽã«èšã£ãŠäžä¿¡ã§ãã
@tianonã¯ãããã¡ãããäž¡æ¹ã®ã¢ãããŒãã«ã¯è³åŠäž¡è«ããããŸãã podmanã§ã³ã³ãããã¿ãŒã²ãããŠãŒã¶ãŒãšäžç·ã«å®è¡ãããšããã®æè¡çãªåé¡ãã€ãŸããroot以å€ã®ãŠãŒã¶ãŒãšããŠã®ããªã¥ãŒã ã®ããŠã³ãããå ·äœçã«è§£æ±ºããããšããçç±ã ãã§ãpodmanã«ã€ããŠèª¬æããŸããã
äžèšã®ã³ã¡ã³ãã§äœæãããtest_fileãã®èš±å¯ãã芧ãã ããã æåã«ãã/ podman_testããã£ã¬ã¯ããªãããŠã³ãããpodmanã³ã³ããå ã«ãtest_fileããã¡ã€ã«ãæžã蟌ã¿ãŸãã 次ã«ããŠãŒã¶ãŒãã³ã³ããã®å€ã«åºããšããã¡ã€ã«ãrootã§ã¯ãªããkkimdevãã«ãã£ãŠææãããŠããããšãããããŸãã
åé¡ã¯ãDockerã®åé¡ãä¿®æ£ããããã®ææ¡ã¯ãDockerã®åé¡è¿œè·¡ã·ã¹ãã ã§ããã»ã©å»ºèšçã§ã¯ãªããDockerã䜿çšããªãããšããããšã§ãã
ã¯ãã podman
ã¯å¥ã®æ¹æ³ã§èšèšãããŠããããããã®åé¡ã¯ãã®ããŒã«ã«ãšã£ãŠéèŠã§ã¯ãããŸãããããã¯åé¡ãããŸããããããã§ã¯ãŸã£ãã話é¡ã«ãªããŸããã ã«ãŒãã¬ã¹ã«ã¯ããŸããŸãªãã¬ãŒããªãããããäžéšã®äººã«ãšã£ãŠã¯åé¡ãªããã®ãããã°ãããã§ãªããã®ããããŸãã æéã®çµéãšãšãã«ïŒãããŠã»ãšãã©ã®å Žåã«ãŒãã«ã®æ¹åã«ããïŒæ¹åãããŠããŸãããããã«ãããã¹ãŠã®äººã«ãšã£ãŠäžè¬çãªãœãªã¥ãŒã·ã§ã³ã§ã¯ãããŸããã
ããã«ã¯ãäžèšã§è©³çŽ°ã«èª¬æããããã«ãã«ãŒãã«ã®å€æŽãŸãã¯äžè¬çãªãœãªã¥ãŒã·ã§ã³ã®ã·ã ãå¿ èŠã§ãïŒ @ cpuguy83ãªã©ã¯ããã®åé¡ãäžè¬çãªæ¹æ³ã§è§£æ±ºããããã«åãçµãã§ããŸãïŒã
Dockerã¯ããã®ç¹å®ã®åé¡ã2013幎ããéããŠãããã»ãŒ6幎åŸãèŠçãç°¡åã«æ¹åããããšã¯ã§ããŸããã Podmanã¯ãDockerãšã®äºææ§ã確ä¿ããããã«èšèšãããŠããŸãããDockerã®èšèšäžã®æ¬ é¥ã解決ããŸãïŒã¹ãŒããŒãŠãŒã¶ãŒã®DockerããŒã¢ã³ãå¿ èŠãšããªãéç¹æš©ãŠãŒã¶ãŒãšããŠã®å®è¡ãå«ãïŒã
ãŠãŒã¶ãŒãä»ã®äººã«GitHubã®åé¡ã«ã€ããŠã¢ããã€ã¹ãäžããããšãã§ããã°ãããã¯ãŸã£ããåé¡ãããŸããã ããã¯ã³ãã¥ããã£ã§ãã 圹ç«ã€ãã®ã¯äœã§ããæ°è»œã«ãå§ãããŸãã
Dockerããã®ããã«æ§é åãããŠããçç±ã¯ãããããããŸãã
grep
ãããã§ãã ãããã誰ããããéãæ€çŽ¢ããå¿
èŠãããå Žåã§ãã ripgrep
ããå§ãããŸãã grep
課é¡è¿œè·¡ã·ã¹ãã ã§ãã ãŠãŒã¶ãŒã®åé¡ã解決ãããŠãŒã¶ãŒãæºè¶³ãããéãã誰ã®åé¡è¿œè·¡ã·ã¹ãã ã§ãããã¯åé¡ã§ã¯ãããŸããã
Podmanãæ©èœããªãå ŽåïŒåé¡ãããŸããïŒ ããããã€ã³ãã©ã¹ãã©ã¯ãã£ã§docker
ãpodman
ã«çœ®ãæããã ãã§ãããããä»ã®äººãå©ããå Žåã¯ããããããŠãã ããã
Podmansã®äž»ãªè°è«ã¯ãããŒã¢ã³ãå®è¡ããªããšããããšã§ãããããã«å¯Ÿããç§ã®äž»ãªè°è«ã§ãã åèµ·ååŸã«ã³ã³ãããå
ã«æ»ãã«ã¯ã©ãããã°ããã§ããïŒ ç§ã¯æã§ãããããŸããããããŠä»ã®ãã¹ãŠã¯ãã æªããã¶ã€ã³ã§ãã ãŸããDockerã³ã³ããããŠãŒã¶ãŒãææããã®ã§ã¯ãªããã·ã¹ãã ãææããããã«ããŸããããã¯ã«ãŒããæå³ããŸãã
Podmanã䜿çšããŠããã®ãããªãã ãã®å ŽåãPodmanã¯çã«ããªã£ãŠããŸãã
ãããŠãåé¡ã解決ããã«ã¯ïŒ COPY --chown ...:...
ã§ã³ã³ãããäœæããŸãïŒ
ãŸããDockerã«ã¯ãã®ãããªåé¡ã¯ãªããç§ã«ãšã£ãŠãéèŠãªDockerãµãŒããŒããªã¢ãŒãã§å¶åŸ¡ã§ããŸãã
å®è¡äžã®ã³ã³ããããããããçæããããŒã«ããããŸãããã¯ãªãŒã³ãªæ¹æ³ã§ãŒãããæ§ç¯ããå¿ èŠãããããããå§ãããŸããã
ç§ãã¡ã¯ä»ãããã¯ã«æ»ãã¹ãã ãšæããŸãïŒç§èŠæåã®ã¢ããã€ã¹ã¯å€§äžå€«ã§ããããä»ã®ãã¹ãŠã¯ãã®åé¡ãçç Žããäœã解決ããŸããã
@ SuperSandro2000 ããã ããã¹ããŒãã¡ã³ãã®å¿çã«ã€ããŠã¯ããããã¯ãªãã¯ããŠãã ããã
åèµ·ååŸã«ã³ã³ãããå ã«æ»ãã«ã¯ã©ãããã°ããã§ããïŒ ç§ã¯æã§ãããããŸããããããŠä»ã®ãã¹ãŠã¯ãã æªããã¶ã€ã³ã§ãã
ããŠã Podmanã¯systemdãšãã€ãã£ãã«çµ±åãããŠããŸãïŒã»ãšãã©ãã¹ãŠã®ææ°ã®GNU Linuxãã£ã¹ããªãã¥ãŒã·ã§ã³ã®ã»ãŒãã¹ãŠã®ãã®ã®ããã«ïŒã ãããã£ãŠãã2ã€ã®ãããŒãã·ã¹ãã ãç¶æããå¿ èŠã¯ãããŸããïŒæåã«systemdã§DockerããŒã¢ã³ãèµ·åãã次ã«å¥ã®æ§æã§ã³ã³ãããèµ·åããããã®å¥ã®ã©ãŠã³ããå®è¡ããå¿ èŠããããŸãïŒã ãããã£ãŠãPodmanã䜿çšãããšãsystemdïŒã€ãŸãããããããã§ã«ã€ã³ã¹ããŒã«ããŠå®è¡ããŠããã·ã¹ãã ïŒã䜿çšããŠãã¹ãŠãå¶åŸ¡ã§ããŸãã
ãŸããDockerã³ã³ããããŠãŒã¶ãŒãææããã®ã§ã¯ãªããã·ã¹ãã ãææããããã«ããŸããããã¯ã«ãŒããæå³ããŸãã
ããªãããããæãŸãªããã°ãããã¯å®å šã«å€§äžå€«ã§ãã Podmanãã¹ãŒããŒãŠãŒã¶ãŒãšããŠå®è¡ããããšã¯ã§ããŸãããããå®è¡ããå¿ èŠã¯ãããŸããã äžè¬ã«ãããã¯æªãèããšèŠãªãããæ»æ察象é åãå¢ãããŸãã誰ããDockerããŒã¢ã³ãæªçšã§ããå Žåããã®äººã¯ã·ã¹ãã äžã®_ãã¹ãŠ_ãå¶åŸ¡ã§ããããã§ãã
Podmanã䜿çšããŠããã®ãããªãã ãã®å ŽåãPodmanã¯çã«ããªã£ãŠããŸãã
ãã®ã¹ããŒãã¡ã³ãã¯æå³ããããŸããã Podmanã䜿çšãããšãåäžã®ã·ã¹ãã ã«åæ£ã§ããŸããããã¯ãåãã·ã¹ãã ã§å€ãã®äººãäœæ¥ããŠããå Žåã«ç¹ã«æå³ã®ããæ©èœã§ãã
ãããŠãåé¡ã解決ããã«ã¯ïŒ
COPY --chown ...:...
ã§ã³ã³ãããäœæããŸãïŒ
ããã§ã®åé¡ã¯ã_runtime_ã§ã®ã³ã³ããã®ããªã¥ãŒã ã®_mounting_ã§ãã ããã¯ãã€ã¡ãŒãžã®æ§ç¯ãšã¯ã»ãšãã©é¢ä¿ããããŸããã
ãŸããDockerã«ã¯ãã®ãããªåé¡ã¯ãªããç§ã«ãšã£ãŠãéèŠãªDockerãµãŒããŒããªã¢ãŒãã§å¶åŸ¡ã§ããŸãã
ãã®æçš¿ãå«ãŸããŠããããã°ã«ã€ããŠæ£ç¢ºã«èšåããŠããã®ã¯ããããã§ãã ãã ããäž¡æ¹ã®å®è£
ã®ãããã¯ãŒã¯ã®è©³çŽ°ã«ã€ããŠã¯ããŸãçµéšããããŸããããç解ããããã«ãpodmanã¯å¯èœãªéãæå°éã®ãããã¯ãŒã¯ã«ãŒã«ããéå§ããç¹æš©ã®ãªããŠãŒã¶ãŒã¯veth
ãã¢ãèšå®ã§ããŸããã
æ確ã«ããããã«ãã«ãŒãã¬ã¹Dockerã§ãpodmanãšåãå¹æãåŸãããšãã§ããã¯ãã§ãã
ããã¯ãdockerdããŠãŒã¶ãŒãšããŠå®è¡ãããŠãããã³ã³ãããŒå
ã®rootãUIDã«ããããããŠããããã§ãã
ããã«ã¯æ¬ ç¹ãããããã¡ãããããŒã¢ã³ãè€æ°ã®ãŠãŒã¶ãŒãšå
±æããå Žåã¯æ©èœããŸããã
https://get.docker.com/rootless
2019幎6æ27æ¥åå7æ52åãAlexanderAdamnotifications @ github.comã¯æ¬¡ã®ããã«æžããŠããŸãã
ç§ãã¡ã¯ä»ãããã¯ã«æ»ãã¹ãã ãšæããŸãïŒç§èŠæåã®ã¢ããã€ã¹ã¯å€§äžå€«ã§ããããä»ã®ãã¹ãŠã¯ãã®åé¡ãçç Žããäœã解決ããŸããã
@ SuperSandro2000 https://github.com/SuperSandro2000 ããã ããã¹ããŒãã¡ã³ãã®å¿çã«ã€ããŠã¯ããããã¯ãªãã¯ããŠãã ããã
https://podman.io/blogs/2018/09/13/systemd.html https://osric.com/chris/accidental-developer/2018/12/docker-versus-podman-and-iptables/ httpsïŒ/ /osric.com/chris/accidental-developer/2018/12/using-docker-to-get-root-access/
â
ããªããèšåãããã®ã§ãããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããGitHubã§è¡šç€ºhttps://github.com/moby/moby/issues/2259?email_source=notifications&email_token=AAGDCZXX2UQCG7LUVH57V6LP4TH2DA5CNFSM4AI3DP unsubscribe-auth / AAGDCZX437HJP4M6XG3SEY3P4TH2DANCNFSM4AI3DP6Q ã
@alexanderadam
ããã§ã®åé¡ã¯ãå®è¡æã«ã³ã³ããã®ããªã¥ãŒã ãããŠã³ãããããšã§ãã ããã¯ãã€ã¡ãŒãžã®æ§ç¯ãšã¯ã»ãšãã©é¢ä¿ããããŸããã
ç§ã®è§£æ±ºçã¯ããã£ã¬ã¯ããªãããŠã³ããããå¯èœã§ããã°ã³ã³ããã§ãã€ã¯ããããšã§ããã
ããããã³ã®é³ã¯ããã®ã§ãããä»ã®ãšããåå ãåãæ¿ããŸãããç§ã«ã¯äœã®å©ç¹ããããŸããã ãšã«ãã説æããŠãããŠããããšãã
ã³ã³ããå
ã®Apacheãwww
ãŠãŒã¶ãŒã§å®è¡ãããŠããå Žåã podman
ã§ãåãåé¡ãçºçããŸãã https://github.com/containers/libpod/issues/3990
解決çã¯ãã³ã³ãããŒå
ã«root
ãŠãŒã¶ãŒãããªãå Žåã«ãã³ã³ãããŒãããã¹ãäžã®UIDã«www
ãŠãŒã¶ãŒããããããããšã§ãã ãããå¯èœãã©ããã¯ããããŸããã
--read-only
ã§å®è¡ããå ŽåïŒ readOnlyRootFilesystem
Kubernetesããªã·ãŒãšåãããã«ïŒã以äžãå®è¡ã§ããŸãã ããã¯ã @ jpetazzoãææ¡ããŠããåé¿çã«åºã¥ããŠããŸãã
DockerfileïŒ
FROM ubuntu
RUN groupadd -g 1001 appgroup && \
useradd -u 1001 -g appgroup appuser
USER appuser
ããã§ïŒ
$ docker build . -t test
$ docker volume create somedir
$ docker run -v somedir:/some_dir alpine chown -R 1001:1001 /some_dir
ããã§ãDockerã€ã¡ãŒãžãå®è¡ããŠããªã¥ãŒã ãããŠã³ããããšãã/ some_dirã¯ç®çã®ãŠãŒã¶ãŒã«å±ããŸãã
$ docker run -it --read-only -v somedir:/some_dir test ls -lrt
...
dr-xr-xr-x 13 root root 0 Nov 4 15:22 sys
drwxr-xr-x 2 appuser appgroup 4096 Nov 5 09:45 some_dir
drwxr-xr-x 1 root root 4096 Nov 5 09:45 etc
...
$ docker run -it --read-only -v somedir:/some_dir test touch /some_dir/hello
$ docker run -it --read-only -v somedir:/some_dir test ls -lrt /some_dir
-rw-r--r-- 1 appuser appgroup 0 Nov 5 09:52 hello
ã¹ã¬ããã§ç°¡åã«å€±ããããããchownedã·ã³ããªãã¯ãªã³ã¯ã¯ããããã»ãšãã©ã®ã·ããªãªã§æ©èœããããšãããäžåºŠææããŸãã æ¬ ç¹ã¯ãäœããã®æ¹æ³ã§èšå®ããå¿ èŠãããããšã§ããããã¯ãå€ãã®å Žåããšã³ããªãã€ã³ãããå ã®ã³ãã³ããå®è¡ããã¹ã¯ãªããã«çœ®ãæããããšãæå³ããŸãã
https://github.com/moby/moby/issues/2259#issuecomment -466094263
+1
ããã¯ç§ãdockerã§æ±ããŠããæãåä»ãªåé¡ã ãšæããŸããããããã§ã«éããŠããæéãèŠããšãä»ã®å€ãã®äººã«ã¯åœãŠã¯ãŸããªãããšãããããŸããïŒ
åé¿çãç¥ã£ãŠããã°åé¡ãããŸããã ç§ã®å ŽåïŒ
ãã¹ãã¯Linuxã§ã
setfacl
ã³ãã³ããå®è¡ãããã¹ããŠãŒã¶ãŒãšã³ã³ãããŠãŒã¶ãŒã®äž¡æ¹ã«rw
ã¢ã¯ã»ã¹ãèš±å¯ããŸããã¹ãã¯MacOSã§ã-å ¬åŒã®Dockerã¢ããªã§ã¯ãã¹ãŠãç®±ããåºããŠåäœããŸãã
ããã€ãã®
setfacl
ã³ãã³ããå®è¡ãããã¹ããŠãŒã¶ãŒãšã³ã³ãããŠãŒã¶ãŒã®äž¡æ¹ã«rw
ã¢ã¯ã»ã¹ãèš±å¯ããã ãã§ãã
ããã¯åé¡ã§ãã ãã¹ãŠã®Dockerã€ã¡ãŒãžã«å¯ŸããŠããã€ãã®setfacl
ã³ãã³ããå®è¡ããŠãOSãæ€åºããããããŸããã
ããã¯å®éã«ã¯å€§ããªã»ãã¥ãªãã£åé¡ã§ããããŸãã
ã·ããªãªäŸïŒ
host1
ã«ã¯dockerãã€ã³ã¹ããŒã«ãããŠããŸãhost1
ã«ã¯ãDockerã³ã³ããã§å®è¡ãããŠããè€æ°ã®ãµãŒãã¹ããããŸãããããã¯ãã¹ãŠ/docker/my-service-01|02|03|etc
ã®äžã«ããŒã«ã«ãã¹ãããŠã³ãããŸããuid
ããã³guid
ããªã·ãŒã«åŸã£ãŠãããããããã«å¿ããŠchown -R uid.gid /docker/my-service-01...
ãèŠæ±ããŸããçµæïŒ
host
ã§äœæãããéåžžã®ãŠãŒã¶ãŒãŸãã¯ãµãŒãã¹ãŠãŒã¶ãŒã¯ãæå³ãæãŸããŠããªã/docker/my-service-01|02|03|etc
ãžã®ãã«ã¢ã¯ã»ã¹ãæã¡ãŸããuid.gid
ãå¿
èŠãªã³ã³ãããŒãšäžèŽããã chown
ãå®è¡ã§ããªãããã倱æããŸãã uid.gid
ããªã·ãŒãããããããã¯ç°ãªãããã§ã:)ã¯ãã以åã«ãã®åé¡ã«ã€ããŠè©³ãã説æããŸããããïŒåœæïŒäŒããããŠããéèŠãªäºå®ã¯ãLinuxã«ãŒãã«ã«åãããå¯èœãªuidãšgidãæäŸããããã®åºç€ãšãªããµããŒãã¡ã«ããºã ããªãã£ãããšã§ãã ãããã£ãŠããã®ãããžã§ã¯ãïŒmoby / dockerïŒããã®éåžžã«æãŸããæ©èœãå®è£ ããã«ã¯ãã«ãŒãã«ã«è¿œå ããå¿ èŠããããŸãã ããã§ãªããã°ãç§ãã¡ã¯ãã§ã«ãã®æ©èœãå°ãåã«æã«å ¥ããŠããã ããã ãããæåã«èŠããããšãã
ãããã£ãŠããã®è°è«ãïŒä»æ¥ïŒç¶ç¶ããããã®æãçç£çãªæ¹æ³ã¯æ¬¡ã®ãšããã§ãããã®ç¶æ³ã®ããããããã®åŸå€åãããã©ããã確èªããŸãã vger.orgã§Linuxã«ãŒãã«ã®ã¡ã€ã³ã©ã€ã³éçºè ããã®æè¡çãªè§£èª¬ãæ¢ããŠãã ããã ãã®æ ¹æ¬çãªæ¬ èœããŠããæ©èœã«ã€ããŠã¯ãã«ãŒãã«ã§éå»ã®ãããã»ãã/ããŒãžèŠæ±ãæ¢ããŠãã ããã ç
ãã®äžäœã¬ãã«ã§äœãèµ·ãã£ãŠããã®ããããããç解ããããšãæåŸ ããŠã ã€ãŸããã¯äœã§ãããïŒ ããã©ãŒãã³ã¹ã®åé¡ã§ãããïŒ ã»ãã¥ãªãã£ã¢ãã«/匱äœåãšããç¹ã§ç°è°ã¯ãããŸãããïŒ ããã¯ãŸã ããŒãã«ã«ãããŸããããããšãå°æ¥ã®ããŒããããã«ãããŸãããä»ã®æ©èœBãšCãå®è£ ã§ããããã«ãªã£ãåŸã§ã®ã¿æå³ããããŸããïŒ ãã®ã«ãŒãã«éçºã¯ãã¹ãŠä»ã®å Žæã§è¡ãããŠããŸãã ä»ã®ãã£ãã«ã§ã
@DXistãããLinuxã§ã¯ãªãOSXã§éæ³ã®ããã«æ©èœãããšããäºå®ã¯é©ãã¹ãããšã§ãããããèªäœãåé¡ã§ãã
@ dreamcat4ã®æåŸã®ã³ã¡ã³ãã«ãããšã誰ããããã®ã¹ããŒã¿ã¹ãäœã§ãããã確èªããããã«æ°ããè©Šã¿ãããŸãããïŒ ã«ãŒãã«ã§åãããå¯èœãªuidãšgidã®ãµããŒãã¯ãããŸããïŒ ããã§ã®å šäœçãªã¹ããŒã¿ã¹ã¯ã©ãã§ããïŒ
ãã®åé¡ãå®å šã«è§£æ±ºããããã«ãLinuxãŠãŒã¶ãŒåå空éã䜿çšããŸããã ä»ã®ãã©ãããã©ãŒã ãšãŸã£ããåãããã«æ©èœããŸãïŒAFAICTïŒïŒã³ã³ãããŒã¯ãã€ã³ãããŠã³ããããããªã¥ãŒã ãã«ãŒããšããŠèªèãããã¹ãã¯ãããdockerãå®è¡ããŠãããŠãŒã¶ãŒãšããŠèªèããŸãïŒã
ã¬ã€ãã¯ãã¡ãïŒ https ïŒ//www.jujens.eu/posts/en/2017/Jul/02/docker-userns-remap/
@patrobinson +1
æãåèã«ãªãã³ã¡ã³ã
ããããšèšããŸããïŒãŠãŒã¶ãŒã«ãã«ããŒã¹ã¯ãªãããè¿œå ããããã«åŒ·å¶ããŸã
ïŒããªãã®äŸã@bfirshã«æè¬ããŸãïŒ
ããªãã²ã©ãã§ãã
ããã¯ãã³ã³ãããç®çã®
redis
ãŠãŒã¶ãŒãšããŠå®è¡ããã®ã§ã¯ãªããrootãšããŠéå§ããå¿ èŠãããããšãæå³ããŸãã ïŒ @aldanorãã»ã®ããããŠããããã«ïŒããã¯ããŠãŒã¶ãŒã次ã®ãããªããšãå®è¡ã§ããªãããšãæå³ããŸãã
docker run -v /home/user/.app_cfg/ -u user application_container application
:(