我使用以下命令来运行 docker 容器,并从主机映射目录(/root/database
) 到容器(/tmp/install/database
):
# docker run -it --name oracle_install -v /root/database:/tmp/install/database bofm/oracle12c:preinstall bash
但是在容器中,我发现我无法使用ls
列出内容/tmp/install/database/
虽然我是root
并拥有所有特权:
[root@77eb235aceac /]# cd /tmp/install/database/
[root@77eb235aceac database]# ls
ls: cannot open directory .: Permission denied
[root@77eb235aceac database]# id
uid=0(root) gid=0(root) groups=0(root)
[root@77eb235aceac database]# cd ..
[root@77eb235aceac install]# ls -alt
......
drwxr-xr-x. 7 root root 4096 Jul 7 2014 database
I check /root/database
在主机中,一切看起来都很好:
[root@localhost ~]# ls -lt
......
drwxr-xr-x. 7 root root 4096 Jul 7 2014 database
为什么docker容器提示“权限被拒绝”?
Update:
根本原因与SELinux
。其实我也遇到过类似的issue https://stackoverflow.com/questions/30091681/why-does-docker-prompt-permission-denied-when-backing-up-the-data-volume去年。
容器内对共享目录的权限被拒绝可能是由于该共享目录存储在设备上。默认情况下容器无法访问任何设备。添加选项$docker run --privileged
允许容器访问all设备并执行内核调用。这不被认为是安全的。
共享设备的一种更简洁的方法是使用该选项docker run --device=/dev/sdb
(if /dev/sdb
是您要共享的设备)。
从手册页:
--device=[]
Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm)
--privileged=true|false
Give extended privileges to this container. The default is false.
By default, Docker containers are “unprivileged” (=false) and cannot, for example, run a Docker daemon inside the Docker container. This is because by default a container is not allowed to access any devices. A “privileged” container is given access to all devices.
When the operator executes docker run --privileged, Docker will enable access to all devices on the host as well as set some configuration in AppArmor to allow the container nearly all the same access to the host as processes running outside of a container on the host.
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)