我在 Ubuntu 22.04 上无根运行 Docker
version 24.0.7, build afdd53b在主机上:
$ cat /etc/group
...
docker:x:999:gpeterso,mjl
mjl:x:3251:gpeterso
$ cat /etc/subuid
gpeterso:100000:65536
mjl:200000:65536
$ cat /etc/subgid
gpeterso:100000:65536
mjl:200000:65536
$ ls -al /home/gpeterso/mjl-dev/web/logs/
total 8
drwxrwxr-x 2 mjl mjl 4096 Dec 13 11:06 .
drwxrwxr-x 8 mjl mjl 4096 Sep 29 12:59 ..
然后启动 docker 容器并检查它:
$ docker inspect mjl-dev-web
[
{
...
"Driver": "overlay2",
"Platform": "linux",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
...
"HostConfig": {
"Binds": [
...
"/home/gpeterso/mjl-dev/web/logs/:/usr/local/ROOT/logs/",
...
],
"Mounts": [
...
{
"Type": "bind",
"Source": "/home/gpeterso/mjl-dev/web/logs",
"Destination": "/usr/local/ROOT/logs",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
},
...
],
"Config": {
...
"User": "mjl",
...
]
然后我连接到容器并尝试访问该目录:
$ docker exec -it mjl-dev-web /bin/bash
5af614bba1c8:/usr/local/ROOT$ cd logs
5af614bba1c8:/usr/local/ROOT/logs$ ls -al
total 8
drwxrwxr-x 2 nobody nobody 4096 Dec 13 11:06 .
drwxr-xr-x 1 root root 4096 Dec 13 11:20 ..
5af614bba1c8:/usr/local/ROOT/logs$ echo 'hi' >test.txt
bash: test.txt: Permission denied
5af614bba1c8:/usr/local/ROOT$ whoami
mjl
docker容器显示映射的文件夹RW(读和写)。所以我认为这一定是用户混淆了?为什么我的映射驱动器显示为 nobody 或 root 而不是 mjl?我尝试过
sudo systemctl restart docker这不是混淆,这就是用户命名空间的工作方式。容器中的uid/gid根据subuid/subgid条目进行移动。因此容器中的 uid/gid 0/0 被映射到主机上的 200000/200000。文件系统挂载上没有 uid/gid 映射,因此如果 uid 200000 无权写入主机上的文件,容器中的 uid 0 也无权写入文件。