主页 / server / 问题 / 1168843
Accepted
Arthur Attout
Asked: 2024-12-13 20:40:49 +0800 CST

以 :ro 形式挂载的 Docker 卷仍然可写

  • 772

data我的文件系统根目录下有一个文件夹

arthur@debian:~$ ls -la /data
total 36
drwxr-xr-x  9 root   root            4096 Dec 13 09:45 .
drwxr-xr-x 21 root   root            4096 Dec 13 10:08 ..
drwxr-xr-x  2 root   root            4096 Jun 15  2020 500g2
drwxr-xr-x  6 root   root            4096 Nov 16 18:20 quad_1
drwxr-sr-x  5 arthur arthur          4096 Dec 13 13:29 tera_1
drwxrwxr-x  6 root   root            4096 Dec  7 00:00 tera_2
drwxr-xr-x  5 root   root            4096 Sep 18 21:32 tera_3
drwxr-xr-x  6 root   root            4096 May  5  2021 tera_4

我想将整个目录挂载为 docker 卷,但容器必须具有只读访问权限。所以我使用了:ro

sudo docker run -it --name testcontainer -v /data:/internal_data:ro --rm alpine:latest /bin/sh

当 shell 生成时,我仍然能够写入本应只读的容器。这是为什么?

/ # touch /internal_data/test
touch: /internal_data/test: Read-only file system        # Ok, container prevented from writing
/ # touch /internal_data/tera_1/test                     # This worked
/ # touch /internal_data/tera_2/test                     # This worked
/ # touch /internal_data/500g2/test                      
touch: /internal_data/500g2/test: Read-only file system # Ok, container prevented from writing
/ #
docker

1 个回答

  1. Best Answer

    您需要 5.12 或更高版本的内核和 docker 25 或更高版本才能支持递归只读绑定挂载

    $ uname -v
#1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1 (2024-11-22)

$ docker version
Client: Docker Engine - Community
 Version:           27.3.1
 API version:       1.47
 Go version:        go1.22.7
 Git commit:        ce12230
 Built:             Fri Sep 20 11:41:11 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          27.3.1
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.7
  Git commit:       41ca978
  Built:            Fri Sep 20 11:41:11 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.24
  GitCommit:        88bf19b2105c8b17560993bee28a01ddc2f97182
 runc:
  Version:          1.2.2
  GitCommit:        v1.2.2-0-g7cb3632
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

$ mount
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=3159048k,mode=755,inode64)
/dev/mapper/xxxx-root on / type ext4 (rw,relatime,errors=remount-ro)
....

$ docker run -it --rm -v /:/host:ro alpine

/ # cd /host
/host # touch test
touch: test: Read-only file system

/host # cd run

/host/run # touch test
touch: test: Read-only file system

    另请参阅 Docker 关于递归绑定挂载的文档。

    • 1

相关问题