即使用户拥有权限,但在Docker容器中拒绝权限
这是我做的:
$ docker run -it --rm tomcat:8.5-alpine sh /usr/local/tomcat # adduser -D -g '' -u 1000 user /usr/local/tomcat # chown -R user:user $CATALINA_HOME /usr/local/tomcat # su user -c 'catalina.sh run' sh: catalina.sh: Permission denied /usr/local/tomcat # echo $CATALINA_HOME /usr/local/tomcat /usr/local/tomcat # ls -la $CATALINA_HOME total 128 drwxr-xr-x 20 user user 4096 Dec 4 00:47 . drwxr-xr-x 10 root root 4096 Dec 4 00:47 .. -rw-r----- 1 user user 57092 Nov 3 21:16 LICENSE -rw-r----- 1 user user 1723 Nov 3 21:16 NOTICE -rw-r----- 1 user user 7063 Nov 3 21:16 RELEASE-NOTES -rw-r----- 1 user user 15946 Nov 3 21:16 RUNNING.txt drwxr-x--- 2 user user 4096 Dec 4 00:47 bin drwx------ 2 user user 4096 Dec 4 00:47 conf drwxr-xr-x 4 user user 4096 Dec 4 00:47 include drwxr-x--- 2 user user 4096 Dec 4 00:47 lib drwxr-x--- 2 user user 4096 Nov 3 21:14 logs drwxr-xr-x 4 user user 4096 Dec 4 00:47 native-jni-lib drwxr-x--- 2 user user 4096 Dec 4 00:47 temp drwxr-x--- 12 user user 4096 Dec 4 00:47 webapps drwxr-x--- 2 user user 4096 Nov 3 21:14 work /usr/local/tomcat # su user -c 'ls -la /usr/local/tomcat/bin' ls: can't open '/usr/local/tomcat/bin': Permission denied total 0 /usr/local/tomcat # su user -c 'ls -la /usr/local/tomcat/include' total 12 drwxr-xr-x 4 user user 4096 Dec 4 00:47 . drwxr-xr-x 20 user user 4096 Dec 4 00:47 .. drwxr-xr-x 2 user user 4096 Nov 17 23:45 apr-1
我不明白为什么我的新创build的用户user
无法访问/usr/local/tomcat/bin
而他可以访问/usr/local/tomcat/include
: user
拥有所有用户和组的权限。 ..
我已经得到了相同的结果,如果我lauchdocker与--privileged=true
( docker run --privileged=true -it --rm tomcat:8.5-alpine sh
),这个docker图像似乎并没有使用SELinux作为su -c "setenforce 0"
给出错误ash: setenforce: not found
。
我使用Docker版本1.12.3, build 6b644ec
在Ubuntu 14.04.5 LTS
上1.12.3, build 6b644ec
。
这是否对应于具有AUFS驱动程序的Docker中的错误 ?
这看起来像是一个安全增强Linux问题。
先试试:
su -c "setenforce 0"
或者在使用--privileged
时使用--privileged
docker run --privileged=true -it --rm tomcat:8.5-alpine sh