我试图在Docker中挂载一个主机目录,但然后我不能从容器中访问它,即使访问权限看起来不错。
我正在做
sudo docker run -i -v /data1/Downloads:/Downloads ubuntu bash
然后
ls -al
它给我:
total 8892
drwxr-xr-x. 23 root root 4096 Jun 18 14:34 .
drwxr-xr-x. 23 root root 4096 Jun 18 14:34 ..
-rwxr-xr-x. 1 root root 0 Jun 18 14:34 .dockerenv
-rwx------. 1 root root 9014486 Jun 17 22:09 .dockerinit
drwxrwxr-x. 18 1000 1000 12288 Jun 16 11:40 Downloads
drwxr-xr-x. 2 root root 4096 Jan 29 18:10 bin
drwxr-xr-x. 2 root root 4096 Apr 19 2012 boot
drwxr-xr-x. 4 root root 340 Jun 18 14:34 dev
drwxr-xr-x. 56 root root 4096 Jun 18 14:34 etc
drwxr-xr-x. 2 root root 4096 Apr 19 2012 home
还有很多这样的台词(我认为这是相关的部分)。
如果我这样做
cd /Downloads
ls
结果是
ls: cannot open directory .: Permission denied
主机版本为Fedora 20, Docker 1.0.0, go1.2.2。
哪里出了问题?
关于Volumes和SELinux的完整故事,请参阅Project Atomic的博客文章。
具体地说:
This got easier recently since Docker finally merged a patch which
will be showing up in docker-1.7 (We have been carrying the patch in
docker-1.6 on RHEL, CentOS, and Fedora).
This patch adds support for "z" and "Z" as options on the volume
mounts (-v).
For example:
docker run -v /var/db:/var/db:z rhel7 /bin/sh
Will automatically do the chcon -Rt svirt_sandbox_file_t /var/db
described in the man page.
Even better, you can use Z.
docker run -v /var/db:/var/db:Z rhel7 /bin/sh
This will label the content inside the container with the exact MCS
label that the container will run with, basically it runs chcon -Rt svirt_sandbox_file_t -l s0:c1,c2 /var/db where s0:c1,c2 differs for
each container.
从access.redhat.com: Sharing_Data_Across_Containers:
Host volume settings are not portable, since they are host-dependent and might not work on any other machine.
For this reason, there is no Dockerfile equivalent for mounting host directories to the container. Also, be aware that the host system has no knowledge of container SELinux policy. Therefore, if SELinux policy is enforced, the mounted host directory is not writable to the container, regardless of the rw setting. Currently, you can work around this by assigning the proper SELinux policy type to the host directory":
chcon -Rt svirt_sandbox_file_t host_dir
Where host_dir is a path to the directory on host system that is mounted to the container.
这似乎只是一种变通办法,但我试过了,而且奏效了。
