我正在尝试在Docker中创建一个多阶段构建,它简单地运行一个非root的crontab,并将写入可从容器外部访问的卷。我遇到了两个问题:权限、卷的外部访问和cron:
在 DockerFile 的第一步骤中 (1),我尝试将 Denis Bertovic 给出的答案应用于 Alpine 镜像。 (链接)
第二阶段(2)运行cron服务,将数据写入已挂载为卷的/backup文件夹。
- dockerfile中的第一个构建使用entry-point和su-exec创建了一个非root用户镜像,有助于通过volume解决权限问题!
- 在同一dockerfile中的第二个构建使用第一个镜像来运行crond进程,通常会写入/backup文件夹。
version: '3.4'
services:
scrap_service:
build: .
container_name: "flight_scrap"
volumes:
- /home/rey/Volumes/mongo/backup:/backup
在 DockerFile 的第一步骤中 (1),我尝试将 Denis Bertovic 给出的答案应用于 Alpine 镜像。 (链接)
############################################################
# STAGE 1
############################################################
# Create first stage image
FROM gliderlabs/alpine:edge as baseStage
RUN echo http://nl.alpinelinux.org/alpine/edge/testing >> /etc/apk/repositories
RUN apk add --update && apk add -f gnupg ca-certificates curl dpkg su-exec shadow
COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
# ADD NON ROOT USER, i hard fix value to 1000, my current id
RUN addgroup scrapy \
&& adduser -h /home/scrapy -u 1000 -S -G scrapy scrapy
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
我用于修复权限的docker-entrypoint.sh
脚本如下:
#!/usr/bin/env bash
chown -R scrapy .
exec su-exec scrapy "$@"
第二阶段(2)运行cron服务,将数据写入已挂载为卷的/backup文件夹。
############################################################
# STAGE 2
############################################################
FROM baseStage
MAINTAINER rey
ENV TZ=UTC
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN apk add busybox-suid
RUN apk add -f tini bash build-base curl
# CREATE FUTURE VOLUME FOLDER WRITEABLE BY SCRAPY USER
RUN mkdir /backup && chown scrapy:scrapy /backup
# INIT NON ROOT USER CRON CRONTAB
COPY crontab /var/spool/cron/crontabs/scrapy
RUN chmod 0600 /var/spool/cron/crontabs/scrapy
RUN chown scrapy:scrapy /var/spool/cron/crontabs/scrapy
RUN touch /var/log/cron.log
RUN chown scrapy:scrapy /var/log/cron.log
# Switch to user SCRAPY already created in stage 1
WORKDIR /home/scrapy
USER scrapy
# SET TIMEZONE https://serverfault.com/questions/683605/docker-container-time-timezone-will-not-reflect-changes
VOLUME /backup
ENTRYPOINT ["/sbin/tini"]
CMD ["crond", "-f", "-l", "8", "-L", "/var/log/cron.log"]
通常情况下,crontab文件会在/backup
卷文件夹中创建一个测试文件:
* * * * * touch /backup/testCRON
调试阶段:
Login into my image with bash, it seems image correctly run the scrapy user :
uid=1000(scrapy) gid=1000(scrapy) groups=1000(scrapy)
The
crontab -e
command also gives the correct informationBut first error, cron don't run correctly, when i
cat /var/log/cron.log
i have a permission denied errorcrond: crond (busybox 1.27.2) started, log level 8 crond: root: Permission denied crond: root: Permission denied
I have also a second error when I try to write directly into the /backup folder using the command
touch /backup/testFile
. The/backup
volume folder continue to be only accessible using root permission, don't know why.