docker - Ubuntu Docker 容器权限被拒绝 StreamWriter

Question

我有一个运行 .Net Core 5 应用程序的非常简单的 docker 容器。镜像的 docker 文件是:

FROM mcr.microsoft.com/dotnet/runtime:5.0-focal 

RUN apt-get update && apt-get install -y libgdiplus

WORKDIR /dockercontext
COPY . ./
ENTRYPOINT ["dotnet", "myproject.dll"]

主机运行的是 Ubuntu 20.04。
我的应用程序的一部分对文件方法有一个简单的输出:

 public async static Task WriteTextToFileAsync(string fileName, string text, bool append)
 {
   CreateDirectoryIfNotExists(fileName);
   using (StreamWriter outfile = new StreamWriter(fileName, append))
   {
     await outfile.WriteAsync(text).ConfigureAwait(false);                
   }
 }

该过程失败并出现以下错误:

[System.UnauthorizedAccessException: Access to the path '/mount/output/Runs/27a02b9a-179d-4794-a9de-8e4153fa0b41/Messages/message.xml' is denied.
 ---> System.IO.IOException: Permission denied
   --- End of inner exception stack trace ---
   at System.IO.FileStream.WriteNative(ReadOnlySpan`1 source)
   at System.IO.FileStream.FlushWriteBuffer()
   at System.IO.FileStream.Dispose(Boolean disposing)
   at System.IO.Stream.Close()
   at System.IO.StreamWriter.CloseStreamFromDispose(Boolean disposing)
   at System.IO.StreamWriter.Dispose(Boolean disposing)
   at System.IO.TextWriter.Dispose()
   at PKTestingSharedLibrary.HelperFunctions.WriteTextToFileAsync(String fileName, String text, Boolean append) 

docker 容器有几个挂载的驱动器:

sudo docker container create --name worker -v /mount/qzhzntgf6r5uaxjp2vov/prdct-other/prdct-test/configs:/mount/configs -v /mount/qzhzntgf6r5uaxjp2vov/prdct-other/prdct-test/catalogs:/mount/catalogs -v /mount/sgbatchprdctother/output:/mount/output imagename:tag

这些装载的驱动器是装载到 Linux 主机的 Azure 存储文件共享。我已经将 docker 容器执行到正在运行的容器中，并且可以 cd 到 Messages 文件夹，并且可以使用 bash 在那里编写简单的文件。我检查了容器内所有正在运行的进程，我可以看到我的应用程序以 root 用户身份运行:

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  4.5 3582108 184988 ?      Ssl  Sep02   0:22 dotnet myproject.dll

我不确定还能尝试什么。我的 linux 主机和 docker 容器没有运行 SE Linux。该文件在该位置创建，但没有内容。

Answer 1

好的，经过大量搜索后，我遇到了这个问题:
https://github.com/dotnet/runtime/issues/42790#issuecomment-817758887

I ran into this and wasn't in a position to change all our code that writes files to CIFS shares. I investigated different kernel versions as it appeared to happen after we upgraded the OS on our hosts. It turned out to be introduced in kernel v5.5.1, in fact this commit: torvalds/linux@d067799. I managed to work around it by mounting our cifs shares using the nobrl option. From https://linux.die.net/man/8/mount.cifs:

nobrl Do not send byte range lock requests to the server. This is necessary for certain applications that break with cifs style mandatory byte range locks (and most cifs servers do not yet support requesting advisory byte range locks).

After remounting shares including this option the problem went away.

使用 nobrl 命令挂载我的 azure 文件共享解决了我的问题。