ao jia

Appearance

Docker

Two ways to install Docker

IMPORTANT

What is the difference between Docker Desktop for Linux and Docker Engine?

跟随 Install using the apt repository 进行安装。

Install Docker Desktop for Linux (Optional)

https://docs.docker.com/desktop/install/linux-install/

General system requirements:

然后使用

shell
qemu-system-x86_64 --version

查看其版本。

接下来就可以进入安装步骤:

https://docs.docker.com/desktop/install/ubuntu/#install-docker-desktop

  1. Set up Docker's package repository. See step one of Install using theaptrepository.
可能遇到的问题与解决方案:

  1. Download latest DEB package.

  2. Install the package with apt as follows:

shell
sudo apt-get update
sudo apt-get install ./docker-desktop-<arch>.deb

Proxy Config

参考: docker设置全局代理(win/linux)

Prerequisites:

  • 参照 proxy 设置代理。

Docker Desktop for Linux

代理软件打开全局模式

clash-proxy.png

在 Docker Desktop 中设置代理软件端口

docker-proxy.png

IMPORTANT

注意两个地址都是 http

Docker Engine

sh
sudo vim /etc/docker/daemon.json
json
{
  "proxies": {
    "http-proxy": "http://127.0.0.1:7891",
    "https-proxy": "http://127.0.0.1:7891"
  }
}
sh
sudo systemctl restart docker.service

Sign in to Docker Desktop for Linux

NOTE

中国大陆用户需要进行代理设置后才能进行登陆操作。

相关设置参考: Signing in with Docker Desktop for Linux

Docker Container

docker container commit

Create a new image from a container's changes.

docker container commit

Dockerfile

ARG

ARG

using ARG, which is not persisted in the final image

Use Cases:

Dockerfile
ARG DEBIAN_FRONTEND=noninteractive

ENV

ENV

The environment variables set using ENV will persist when a container is run from the resulting image.

Use Cases:

Creating a non-root user

Creating a non-root user

NOTE

there are some quirks with local filesystem (bind) mounts that you should know about. Specifically:

  • Docker CE/EE on Linux: Inside the container, any mounted files/folders will have the exact same permissions as outside the container - including the owner user ID (UID) and group ID (GID). Because of this, your container user will either need to have the same UID or be in a group with the same GID. The actual name of the user / group does not matter. The first user on a machine typically gets a UID of 1000, so most containers use this as the ID of the user to try to avoid this problem.

更新容器用户的 UID/GID 以匹配本地用户,从而避免在此环境中存在的绑定挂载权限问题。

下面介绍几种绑定挂载的情形:

TL;DR

容器内和宿主机用户权限一致(UID与GID)相同,且权限高于或等于挂载文件夹权限才可进行正常读写操作。

root-user && 未手动创建挂载文件夹:

sh
$ docker run --name test -it --rm -v ./mount:/mount -w /mount ubunt

宿主机:

sh
$ stat mount
  File: mount
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 10303h/66307d   Inode: 4200464     Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-09-21 16:30:52.385977343 +0800
Modify: 2024-09-21 16:30:52.385977343 +0800
Change: 2024-09-21 16:30:52.385977343 +0800
 Birth: 2024-09-21 16:30:52.385977343 +0800

$ cd mount

$ touch tmp.txt
touch: cannot touch 'tmp.txt': Permission denied

宿主机一侧无法正常写入。

容器:

sh
root@ac28467c4207:/mount# stat ../mount
  File: ../mount
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 259,3   Inode: 4200464     Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-09-21 09:01:28.964555406 +0000
Modify: 2024-09-21 09:01:04.357228378 +0000
Change: 2024-09-21 09:01:04.357228378 +0000
 Birth: 2024-09-21 09:01:04.357228378 +0000

root@ac28467c4207:/mount# touch tmp.txt

root@ac28467c4207:/mount# ls
tmp.txt

结论

这种情况下主机侧无法对绑定文件夹进行写操作。

root-user && 手动创建挂载文件夹:

sh
$ mkdir mount

$ docker run --name test -it --rm -v ./mount:/mount -w /mount ubuntu

宿主机:

sh
$ stat mount
  File: mount
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 10303h/66307d   Inode: 4200464     Links: 2
Access: (0775/drwxrwxr-x)  Uid: ( 1000/   <host_user>)   Gid: ( 1000/   <host_user>)
Access: 2024-09-21 17:12:50.286737647 +0800
Modify: 2024-09-21 17:11:55.730996463 +0800
Change: 2024-09-21 17:11:55.730996463 +0800
 Birth: 2024-09-21 17:11:55.730996463 +0800

$ cd mount
$ touch tmp.txt
$ vim tmp.txt
$ stat tmp.txt
  File: tmp.txt
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 10303h/66307d   Inode: 4214763     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/   <host_user>)   Gid: ( 1000/   <host_user>)
Access: 2024-09-21 17:15:41.569068352 +0800
Modify: 2024-09-21 17:15:41.569068352 +0800
Change: 2024-09-21 17:15:41.574068420 +0800
 Birth: 2024-09-21 17:15:41.569068352 +0800

容器:

sh
root@ace8ee44285f:/mount# stat ../mount
  File: ../mount
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 259,3   Inode: 4200464     Links: 2
Access: (0775/drwxrwxr-x)  Uid: ( 1000/  ubuntu)   Gid: ( 1000/  ubuntu)
Access: 2024-09-21 08:35:05.326585897 +0000
Modify: 2024-09-21 08:35:05.326585897 +0000
Change: 2024-09-21 08:35:05.326585897 +0000
 Birth: 2024-09-21 08:35:05.326585897 +0000

root@b9bb71e6d803:/mount# stat tmp.txt
  File: tmp.txt
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 259,3   Inode: 4214763     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/  ubuntu)   Gid: ( 1000/  ubuntu)
Access: 2024-09-21 09:15:41.569068352 +0000
Modify: 2024-09-21 09:15:41.569068352 +0000
Change: 2024-09-21 09:15:41.574068420 +0000
 Birth: 2024-09-21 09:15:41.569068352 +0000

root@ace8ee44285f:/mount# touch tmp1.txt

root@ace8ee44285f:/mount# stat tmp1.txt
  File: tmp1.txt
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: 259,3   Inode: 4200614     Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-09-21 08:35:55.151290352 +0000
Modify: 2024-09-21 08:35:55.151290352 +0000
Change: 2024-09-21 08:35:55.151290352 +0000
 Birth: 2024-09-21 08:35:55.151290352 +0000

宿主机:

sh
$ vim tmp1.txt

:i 进入插入模式

txt
-- INSERT -- W10: Warning: Changing a readonly file

在这种情况下 host 一侧无法对文件正常写入,交互出现问题。

:wq

txt
E45: 'readonly' option is set (add ! to override)

:wq!

sh
$ mount stat tmp1.txt
  File: tmp1.txt
  Size: 5               Blocks: 8          IO Block: 4096   regular file
Device: 10303h/66307d   Inode: 4200625     Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/   <host_user>)   Gid: ( 1000/   <host_user>)
Access: 2024-09-21 16:51:09.525037052 +0800
Modify: 2024-09-21 16:51:09.525037052 +0800
Change: 2024-09-21 16:51:09.528037094 +0800
 Birth: 2024-09-21 16:51:09.525037052 +0800

容器:

sh
root@ace8ee44285f:/mount# stat tmp1.txt
  File: tmp1.txt
  Size: 5               Blocks: 8          IO Block: 4096   regular file
Device: 259,3   Inode: 4200625     Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/  ubuntu)   Gid: ( 1000/  ubuntu)
Access: 2024-09-21 08:51:09.525037052 +0000
Modify: 2024-09-21 08:51:09.525037052 +0000
Change: 2024-09-21 08:51:09.528037094 +0000
 Birth: 2024-09-21 08:51:09.525037052 +0000

可以看到文件权限发生变化。

结论

这种情况下主机侧无法对容器内 root 用户创建的文件进行写操作。

non-root-user && 未手动创建挂载文件夹

sh
$ docker run --name test -it --rm -v ./mount:/mount -w /mount image-with-non-root-user

宿主机:

sh
$ stat mount
  File: mount
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 10303h/66307d   Inode: 4200464     Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-09-21 17:25:06.632782035 +0800
Modify: 2024-09-21 17:25:01.207707861 +0800
Change: 2024-09-21 17:25:01.207707861 +0800
 Birth: 2024-09-21 17:25:01.207707861 +0800

$ cd mount

$ touch tmp.txt
touch: cannot touch 'tmp.txt': Permission denied

容器:

sh
$ stat ../mount
  File: ../mount
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 10303h/66307d   Inode: 4200464     Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-09-21 09:25:06.632782035 +0000
Modify: 2024-09-21 09:25:01.207707861 +0000
Change: 2024-09-21 09:25:01.207707861 +0000
 Birth: 2024-09-21 09:25:01.207707861 +0000

$ touch tmp.txt
touch: cannot touch 'tmp.txt': Permission denied

结论

宿主机和容器都无法对挂载文件夹进行正常写操作。

non-root-user && 手动创建挂载文件夹

sh
$ mkdir mount

$ docker run --name test -it --rm -v ./mount:/mount -w /mount image-with-non-root-user

宿主机:

sh
$ stat mount
  File: mount
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 10303h/66307d   Inode: 4200464     Links: 2
Access: (0775/drwxrwxr-x)  Uid: ( 1000/   <host_user>)   Gid: ( 1000/   <host_user>)
Access: 2024-09-21 17:34:03.452126222 +0800
Modify: 2024-09-21 17:33:51.163958037 +0800
Change: 2024-09-21 17:33:51.163958037 +0800
 Birth: 2024-09-21 17:33:51.163958037 +0800

容器:

sh
$ stat ../mount
  File: ../mount
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 10303h/66307d   Inode: 4200464     Links: 2
Access: (0775/drwxrwxr-x)  Uid: ( 1000/containeruser)   Gid: ( 1000/containeruser)
Access: 2024-09-21 09:34:03.452126222 +0000
Modify: 2024-09-21 09:33:51.163958037 +0000
Change: 2024-09-21 09:33:51.163958037 +0000
 Birth: 2024-09-21 09:33:51.163958037 +0000

结论

宿主机和容器都均可对挂载文件夹进行正常写操作。

Linux chmod命令

Bind mounts

Mount volume (-v)

How do I Docker COPY as non root?

How do I Docker COPY as non root?

Dockerfile
COPY --chown=<user>:<group> <hostPath> <containerPath>

usergroup 可为 uidgid,见:

Dockerfile
COPY --chown=$USER_UID:$USER_GID . .

Docker image

docker保存、导入、导出和加载tar及其tar.gz

docker保存、导入、导出和加载tar及其tar.gz

NO LICENSE HERE

Copyright © 2024-2025 ao jia