我正在尝试在docker中创建一个多阶段构建,它只是运行一个非root crontab,它可以从容器外部访问卷.我有两个权限问题,有卷外部访问和cron:
> dockerfile中的第一个构建创建一个非root用户映像,其入口点和su-exec对于修复卷的权限非常有用!
>同一个dockerfile中的第二个构建使用第一个映像来运行crond进程,该进程通常写入/ backup文件夹.
用于构建dockerfile的docker-compose.yml文件:
version: '3.4'
services:
scrap_service:
build: .
container_name: "flight_scrap"
volumes:
- /home/rey/Volumes/mongo/backup:/backup
在DockerFile(1)的第一步中,我尝试将the answer given by denis bertovic调整为Alpine图像
############################################################
# STAGE 1
############################################################
# Create first stage image
FROM gliderlabs/alpine:edge as baseStage
RUN echo http://nl.alpinelinux.org/alpine/edge/testing >> /etc/apk/repositories
RUN apk add --update && apk add -f gnupg ca-certificates curl dpkg su-exec shadow
COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
# ADD NON ROOT USER,i hard fix value to 1000,my current id
RUN addgroup scrapy
&& adduser -h /home/scrapy -u 1000 -S -G scrapy scrapy
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
我的docker-entrypoint.sh修复权限是:
#!/usr/bin/env bash
chown -R scrapy .
exec su-exec scrapy "$@"
第二阶段(2)运行cron服务以写入作为卷挂载的/ backup文件夹
############################################################
# STAGE 2
############################################################
FROM baseStage
MAINTAINER rey
ENV TZ=UTC
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN apk add busybox-suid
RUN apk add -f tini bash build-base curl
# CREATE FUTURE VOLUME FOLDER WRITEABLE BY SCRAPY USER
RUN mkdir /backup && chown scrapy:scrapy /backup
# INIT NON ROOT USER CRON CRONTAB
COPY crontab /var/spool/cron/crontabs/scrapy
RUN chmod 0600 /var/spool/cron/crontabs/scrapy
RUN chown scrapy:scrapy /var/spool/cron/crontabs/scrapy
RUN touch /var/log/cron.log
RUN chown scrapy:scrapy /var/log/cron.log
# Switch to user SCRAPY already created in stage 1
WORKDIR /home/scrapy
USER scrapy
# SET TIMEZONE https://serverfault.com/questions/683605/docker-container-time-timezone-will-not-reflect-changes
VOLUME /backup
ENTRYPOINT ["/sbin/tini"]
CMD ["crond","-f","-l","8","-L","/var/log/cron.log"]
通常在/ backup volume文件夹中创建测试文件的crontab文件:
* * * * * touch /backup/testCRON
调查阶段:
>使用bash登录我的图像,似乎图像正确运行scrapy用户:
uid=1000(scrapy) gid=1000(scrapy) groups=1000(scrapy)
> crontab -e命令也提供了正确的信息
>但是第一个错误,cron运行不正常,当我cat /var/log/cron.log我有一个权限被拒绝错误
crond: crond (busybox 1.27.2) started,log level 8
crond: root: Permission denied
crond: root: Permission denied
>当我尝试使用命令touch / backup / testFile直接写入/ backup文件夹时,我还有第二个错误. / backup volume文件夹继续只能使用root权限访问,不知道原因.
