python 应用程序尝试将日志文件写入 docker 中的共享卷时权限被拒绝
Permission denied when python app tries to write log file into shared volume in docker
我正在尝试使用非 root 用户在 docker 中为 运行 编写一个简单的 python 应用程序,我想登录日志文件的共享卷。
docker-compose.yml
version: '3.7'
services:
testapp:
hostname: pythonapp
container_name: pythonapp
build:
context: .
dockerfile: Dockerfile
environment:
- TZ=Europe/Rome
ports:
- "8080:8080"
volumes:
- ./log:/home/pythonapp/src/log
docker 构建文件
FROM python:3
# set environment variables
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1
# Create a user with given UID.
RUN useradd -m -u 5000 pythonapp
USER pythonapp
RUN id
RUN mkdir -p /home/pythonapp/src/log
RUN chown -R pythonapp:pythonapp /home/pythonapp
WORKDIR /home/pythonapp/src
## copy from host to container files
COPY --chown=pythonapp:pythonapp . .
## install dependencies
RUN pip install --user --upgrade pip
RUN pip install --user -r requirements.txt
CMD ["python", "/home/pythonapp/src/pythonapp.py", "-p", "8080"]
在构建映像之前,我在主机中创建了日志文件夹。
mkdir log
ls -la
>>> drwxrwxr-x 2 tabita tabita 4096 ott 2 19:16 log
setfacl -m u:5000:rwx ./log
ls -la
>>> drwxrwxr-x+ 2 tabita tabita 4096 ott 2 19:16 log
getfacl log/
>>># file: log/
# owner: tabita
# group: tabita
user::rwx
user:5000:rw-
group::rwx
mask::rwx
other::r-x
然后我使用 docker-compose
创建了图像
docker-compose -f docker-compose.yml up --build -v
但是,我在这里遇到错误
pythonapp | /home/pythonapp/src
pythonapp | pythonapp
pythonapp | uid=5000(pythonapp) gid=5000(pythonapp) groups=5000(pythonapp)
pythonapp | Traceback (most recent call last):
pythonapp | File "/home/pythonapp/src/ssh_honeypot.py", line 28, in <module>
pythonapp | logging.basicConfig(
pythonapp | File "/usr/local/lib/python3.9/logging/__init__.py", line 2003, in basicConfig
pythonapp | h = FileHandler(filename, mode,
pythonapp | File "/usr/local/lib/python3.9/logging/__init__.py", line 1146, in __init__
pythonapp | StreamHandler.__init__(self, self._open())
pythonapp | File "/usr/local/lib/python3.9/logging/__init__.py", line 1175, in _open
pythonapp | return open(self.baseFilename, self.mode, encoding=self.encoding,
pythonapp | PermissionError: [Errno 13] Permission denied: '/home/pythonapp/src/log/pythonapp.log'
pythonapp exited with code 1
调试中
我试图进入容器并在日志文件夹中创建一个文件。我可以创建一个,但在主机系统中我看不到创建的文件。
你能帮帮我吗?
我已经用这个脚本试过你的文件了:
# pythonapp.py
with open('/home/pythonapp/src/log/test.txt', 'w') as f:
f.write("Hello world!")
只有当 x 访问权限授予用户 5000 时,它才能很好地工作。
需要此权限才能浏览日志目录。
关于您的输出,目前权限为 rw-
getfacl log/
>>># file: log/
...
user:5000:rw-
...
由于你的程序看起来很准确,你能不能从这里再试一次:
log is under my working directory
- 为
UID:5000 的用户添加权限:
setfacl -m u:5000:rwx log
- 检查权限,需要
rwx
I think --tabular is a good option to view ACL permissions
getfacl --tabular log
# file: log
USER <myuser> rwx
user 5000 rwx
GROUP <myuser> rwx
mask rwx
other r-x
- pythonapp.py log目录下应该可以写:
docker-compose up --build
Step 13/13 : CMD ["python", "/home/pythonapp/src/pythonapp.py", "-p", "8080"]
---> Using cache
---> fcd2afb9f961
Successfully built fcd2afb9f961
Successfully tagged so_testapp:latest
Starting pythonapp ... done
Attaching to pythonapp
pythonapp exited with code 0
我正在尝试使用非 root 用户在 docker 中为 运行 编写一个简单的 python 应用程序,我想登录日志文件的共享卷。
docker-compose.yml
version: '3.7'
services:
testapp:
hostname: pythonapp
container_name: pythonapp
build:
context: .
dockerfile: Dockerfile
environment:
- TZ=Europe/Rome
ports:
- "8080:8080"
volumes:
- ./log:/home/pythonapp/src/log
docker 构建文件
FROM python:3
# set environment variables
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1
# Create a user with given UID.
RUN useradd -m -u 5000 pythonapp
USER pythonapp
RUN id
RUN mkdir -p /home/pythonapp/src/log
RUN chown -R pythonapp:pythonapp /home/pythonapp
WORKDIR /home/pythonapp/src
## copy from host to container files
COPY --chown=pythonapp:pythonapp . .
## install dependencies
RUN pip install --user --upgrade pip
RUN pip install --user -r requirements.txt
CMD ["python", "/home/pythonapp/src/pythonapp.py", "-p", "8080"]
在构建映像之前,我在主机中创建了日志文件夹。
mkdir log
ls -la
>>> drwxrwxr-x 2 tabita tabita 4096 ott 2 19:16 log
setfacl -m u:5000:rwx ./log
ls -la
>>> drwxrwxr-x+ 2 tabita tabita 4096 ott 2 19:16 log
getfacl log/
>>># file: log/
# owner: tabita
# group: tabita
user::rwx
user:5000:rw-
group::rwx
mask::rwx
other::r-x
然后我使用 docker-compose
创建了图像docker-compose -f docker-compose.yml up --build -v
但是,我在这里遇到错误
pythonapp | /home/pythonapp/src
pythonapp | pythonapp
pythonapp | uid=5000(pythonapp) gid=5000(pythonapp) groups=5000(pythonapp)
pythonapp | Traceback (most recent call last):
pythonapp | File "/home/pythonapp/src/ssh_honeypot.py", line 28, in <module>
pythonapp | logging.basicConfig(
pythonapp | File "/usr/local/lib/python3.9/logging/__init__.py", line 2003, in basicConfig
pythonapp | h = FileHandler(filename, mode,
pythonapp | File "/usr/local/lib/python3.9/logging/__init__.py", line 1146, in __init__
pythonapp | StreamHandler.__init__(self, self._open())
pythonapp | File "/usr/local/lib/python3.9/logging/__init__.py", line 1175, in _open
pythonapp | return open(self.baseFilename, self.mode, encoding=self.encoding,
pythonapp | PermissionError: [Errno 13] Permission denied: '/home/pythonapp/src/log/pythonapp.log'
pythonapp exited with code 1
调试中
我试图进入容器并在日志文件夹中创建一个文件。我可以创建一个,但在主机系统中我看不到创建的文件。
你能帮帮我吗?
我已经用这个脚本试过你的文件了:
# pythonapp.py
with open('/home/pythonapp/src/log/test.txt', 'w') as f:
f.write("Hello world!")
只有当 x 访问权限授予用户 5000 时,它才能很好地工作。
需要此权限才能浏览日志目录。
关于您的输出,目前权限为 rw-
getfacl log/
>>># file: log/
...
user:5000:rw-
...
由于你的程序看起来很准确,你能不能从这里再试一次:
log is under my working directory
- 为
UID:5000的用户添加权限:setfacl -m u:5000:rwx log - 检查权限,需要
rwxI think --tabular is a good option to view ACL permissions
getfacl --tabular log # file: log USER <myuser> rwx user 5000 rwx GROUP <myuser> rwx mask rwx other r-x - pythonapp.py log目录下应该可以写:
docker-compose up --build
Step 13/13 : CMD ["python", "/home/pythonapp/src/pythonapp.py", "-p", "8080"] ---> Using cache ---> fcd2afb9f961 Successfully built fcd2afb9f961 Successfully tagged so_testapp:latest Starting pythonapp ... done Attaching to pythonapp pythonapp exited with code 0