Docker 数据卷容器。我似乎无法备份

Question

阅读这些链接:

1. https://docs.docker.com/userguide/dockervolumes/#backup-restore-or-migrate-data-volumes
2. Backing up data volume containers off machine

我的理解是我可以拿一个数据卷容器并归档它的备份。 但是阅读第一个链接我似乎无法让它工作。

docker create -v /sonatype-work --name sonatype-work sonatype/nexus /bin/true

我使用以下方法在容器中启动 sonatype/nexus 图像:

--volumes-from sonatype-nexus

很好，运行 nexus 后，我检查数据量，我可以看到创建的内部结构，然后停止并删除 nexus 并重新启动，所有更改都已保存。

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
f84abb054d2e        sonatype/nexus      "/bin/sh -c 'java   -"   22 seconds ago      Up 21 seconds       0.0.0.0:8081->8081/tcp   nexus
1aea2674e482        sonatype/nexus      "/bin/true"              25 seconds ago      Created                                      sonatype-work

我现在想备份 sonatype-work，但没有成功。

[root@ansible22 ~]# pwd
/root
[root@ansible22 ~]# docker run --volumes-from sonatype-work -v $(pwd):/backup ubuntu tar cvf /backup/sonatype-work-backup.tar /sonatype-work
tar: /backup/sonatype-work-backup.tar: Cannot open: Permission denied
tar: Error is not recoverable: exiting now

我试过以 -u root 运行，我也试过:

/root/sonatype-work-backup.tar

执行此操作时，我可以看到它去皮，但看不到 tar 文件。根据这个例子和我的理解，我认为那是不对的。

谁能看出我做错了什么？

编辑:Linux 版本信息

Fedora release 22 (Twenty Two)
NAME=Fedora
VERSION="22 (Twenty Two)"
ID=fedora
VERSION_ID=22
PRETTY_NAME="Fedora 22 (Twenty Two)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:22"
HOME_URL="https://fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=22
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=22
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
VARIANT="Server Edition"
VARIANT_ID=server
Fedora release 22 (Twenty Two)
Fedora release 22 (Twenty Two)

Answer 1

原因与selinux标签有关。有几个很好的 Project Atomic 页面:

Docker and Linux

The default type for a confined container process is svirt_lxc_net_t. This type is permitted to read and execute all files types under /usr and most types under /etc. svirt_lxc_net_t is permitted to use the network but is not permitted to read content under /var, /home, /root, /mnt … svirt_lxc_net_t is permitted to write only to files labeled svirt_sandbox_file_t and docker_var_lib_t. All files in a container are labeled by default as svirt_sandbox_file_t.

然后在Using Volumes with Docker can Cause Problems with SELinux :

This will label the content inside the container with the exact MCS label that the container will run with, basically it runs chcon -Rt svirt_sandbox_file_t -l s0:c1,c2 /var/db where s0:c1,c2 differs for each container.

(在这种情况下不是 /var/db 而是 /root)

If you volume mount a image with -v /SOURCE:/DESTINATION:z docker will automatically relabel the content for you to s0. If you volume mount with a Z, then the label will be specific to the container, and not be able to be shared between containers.

所以 z 或 Z 都适合这种情况，但通常人们可能更喜欢 Z 来隔离。