时间戳

首页 > 解决方案 > docker 中的 docker 只读挂载是什么意思?

docker - docker 中的 docker 只读挂载是什么意思?

问题描述

相关文件

https://docs.docker.com/storage/bind-mounts/

对于某些开发应用程序,容器需要写入绑定挂载,因此更改会传播回 Docker 主机。在其他时候,容器只需要读取权限。

此示例修改了上面的示例,但通过将 ro 添加到(默认为空)选项列表中,在容器内的挂载点之后,将目录挂载为只读绑定挂载。如果存在多个选项,请用逗号分隔它们。

我希望这意味着无法从容器内写入以这种方式安装的文件夹。但是,如果我对示例进行最低限度的修改以给我一个 shell 会话并挂载根文件系统

~ $ docker run  \
      -it \
      --name devtest2 \
      --mount type=bind,source=/,target=/app,readonly \
      ubuntu:latest

我看到我以 root 身份从容器内对整个主机文件系统进行写访问。

root@bde1f19c1de2:/# cd /app/home/
# Creates directory in the host /home folder
root@bde1f19c1de2:/app/home# mkdir patata

那么安装是“ readonly”是什么意思。

我如何使它实际上是只读的?

我在 docker 17.05 中观察到了这种行为,因为它与 Ubuntu 值得信赖:

$ docker --version
Docker version 17.05.0-ce, build 89658be

标签: docker

解决方案

I don't know how you can use --mount option as it is only available for standalone container from Docker 17.06 and yours is 17.05. Ref

Originally, the -v or --volume flag was used for standalone containers and the --mount flag was used for swarm services. However, starting with Docker 17.06, you can also use --mount with standalone containers. In general, --mount is more explicit and verbose. The biggest difference is that the -v syntax combines all the options together in one field, while the --mount syntax separates them. Here is a comparison of the syntax for each flag.

That said i tried it out on docker 17.09 and still saw the same result as your decribed. Only to realise that the "readonly" option is working but your linux permissions are as such which is allowing anyone to write on it!

Since you are mounting / and writing to home directory which has 0755 permission by default https://superuser.com/questions/303910/ubuntu-default-access-mode-permissions-for-users-home-dir-home-user

0755 means public (anyone) read and execute. The execute is allowing you to execute the mkdir commandenter image description here

If you mount paths or folder which doesn't have public access then you will see the readonly option works irrective of it being a root user or not inside the container, which is you wont be allowed to write!

example I am mounting home directory which has a 0770 which is public doesn't have any access!

[root@jakku-admin-1 ~]# pwd
/root
[root@jakku-admin-1 ~]# ll
total 8
drwxr-xr-x. 2 root root 4096 Feb  7 21:19 archive
drwxrwx---. 2 root root 4096 Feb  7 20:38 home
[root@jakku-admin-1 ~]# docker run -it --name devtest --mount type=bind,source=`pwd`/home,target=/app,readonly ubuntu:latest
root@3ce55bba8904:/# ll
total 16
drwxr-xr-x.  22 root root  253 Feb  7 21:20 ./
drwxr-xr-x.  22 root root  253 Feb  7 21:20 ../
-rwxr-xr-x.   1 root root    0 Feb  7 21:20 .dockerenv*
drwxrwx---.   2 root root 4096 Feb  7 20:38 app/
drwxr-xr-x.   2 root root 4096 Jan 12 21:10 bin/
drwxr-xr-x.   2 root root    6 Apr 24  2018 boot/
drwxr-xr-x.   5 root root  360 Feb  7 21:20 dev/
drwxr-xr-x.  29 root root 4096 Feb  7 21:20 etc/
drwxr-xr-x.   2 root root    6 Apr 24  2018 home/
drwxr-xr-x.   8 root root   96 May 23  2017 lib/
drwxr-xr-x.   2 root root   34 Jan 12 21:10 lib64/
drwxr-xr-x.   2 root root    6 Jan 12 21:09 media/
drwxr-xr-x.   2 root root    6 Jan 12 21:09 mnt/
drwxr-xr-x.   2 root root    6 Jan 12 21:09 opt/
dr-xr-xr-x. 592 root root    0 Feb  7 21:20 proc/
drwx------.   2 root root   37 Jan 12 21:10 root/
drwxr-xr-x.   5 root root   58 Jan 16 01:20 run/
drwxr-xr-x.   2 root root 4096 Jan 16 01:20 sbin/
drwxr-xr-x.   2 root root    6 Jan 12 21:09 srv/
dr-xr-xr-x.  13 root root    0 Jan 29 22:42 sys/
drwxrwxrwt.   2 root root    6 Jan 12 21:10 tmp/
drwxr-xr-x.  10 root root  105 Jan 12 21:09 usr/
drwxr-xr-x.  11 root root  139 Jan 12 21:10 var/
root@3ce55bba8904:/# cd app/
root@3ce55bba8904:/app# ll
total 4
drwxrwx---.  2 root root 4096 Feb  7 20:38 ./
drwxr-xr-x. 22 root root  253 Feb  7 21:20 ../
root@3ce55bba8904:/app# mkdir test
mkdir: cannot create directory 'test': Read-only file system
root@3ce55bba8904:/app# touch test
touch: cannot touch 'test': Read-only file system

推荐阅读