php - 如何在容器docker中反射(reflect)主机权限？

Question

我知道无法更改通过卷共享的文件的权限，因为默认情况下，并且据我了解，docker容器的权限反射(reflect)了主机的权限，但是，这不会发生就我而言， docker 只是将所有文件的权限更改为755，某些文件必须具有特定权限。

主办:



Docker容器:



Docker文件:

FROM ubuntu:18.04

ARG DEBIAN_FRONTEND=noninteractive

#Updating operating system
RUN apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade

##Installing essential packages
RUN apt-get -y install apt-utils software-properties-common curl bash-completion vim git supervisor


## Add Scripts
ADD ./start.sh /start.sh
EXPOSE  80
STOPSIGNAL SIGTERM
#CMD ["/start.sh"]
ENTRYPOINT echo $XDEBUG_CONFIG >> /etc/php/7.3/fpm/php.ini && service php7.3-fpm start && nginx -g "daemon off;"

docker-compose.yml

volumes:
  - ${DOCUMENT_ROOT-./www}:/usr/share/nginx/html
  - ${VHOSTS_DIR-./config/nginx/sites-enabled}:/etc/nginx/sites-enabled
  - ${PHP_INI-./config/php/php.ini}:/etc/php/7.3/fpm/conf.d/php.ini
  - ${LOG_DIR-./logs/nginx}:/var/log/nginx

Answer 1

你的假设

I know that it is impossible to change the permissions of a file shared via volume

仅部分正确，实际上存在一组模式-:ro和:rw-您可以在通过docker-compose挂载卷时使用，如文档中所述:

Standard modes are ro for read-only and rw for read-write (default).

资料来源:https://docs.docker.com/compose/compose-file/#short-syntax-3

如果主机使用:Z，则还可以使用:z和selinux模式。

If you use selinux you can add the z or Z options to modify the selinux label of the host file or directory being mounted into the container. This affects the file or directory on the host machine itself and can have consequences outside of the scope of Docker.

• The z option indicates that the bind mount content is shared among multiple containers.
• The Z option indicates that the bind mount content is private and unshared.

Use extreme caution with these options. Bind-mounting a system directory such as /home or /usr with the Z option renders your host machine inoperable and you may need to relabel the host machine files by hand.

资料来源:https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

这是一个示例，在我的主机上，这是我的文件的权限:

~ # ls -la ro rw 
ro:
total 0
drwxr-xr-x  3 ben  staff   96 May 23 23:06 .
drwxr-xr-x  9 ben  staff  288 May 23 23:16 ..
-rw-r--r--  1 ben  staff    0 May 23 23:06 file

rw:
total 0
drwxr-xr-x  3 ben  staff   96 May 23 23:06 .
drwxr-xr-x  9 ben  staff  288 May 23 23:16 ..
-rwxr-xr-x  1 ben  staff    0 May 23 23:06 file

然后用这个docker-compose.yml

version: '3.8'

services:
  test:
    image: alpine
    volumes:
      - ./ro:/root/ro:Z
      - ./rw:/root/rw:Z
    command: sleep 100000000000

这是容器上的结果

~ # ls -la ro rw
ro:
total 4
drwxr-xr-x    3 root     root            96 May 23 21:06 .
drwx------    1 root     root          4096 May 23 21:17 ..
-rw-r--r--    1 root     root             0 May 23 21:06 file

rw:
total 4
drwxr-xr-x    3 root     root            96 May 23 21:06 .
drwx------    1 root     root          4096 May 23 21:17 ..
-rwxr-xr-x    1 root     root             0 May 23 21:06 file