在 Docker 容器中使用 Supervisor 运行 uWSGI 会导致权限被拒绝

在 Docker 容器中使用 Supervisor 运行 uWSGI 会导致权限被拒绝

我有一个 Django 应用程序,我想使用 Supervisor 在 Docker 容器中使用 UWSGI 运行它。

我正在使用 OSX,因此为了在我的boot2dockerVM 中成功挂载我的 OSX 文件系统(这样我就可以使用 docker 挂载卷run -v /source/:/destination),我不得不使用sshfs它,我认为这会导致我挂载的文件系统出现一些奇怪的权限。

我的boot2docker虚拟机上有两个挂载点;一个指向我的应用程序代码库,另一个指向主机上的任意位置以将持久日志写入

Host: /Users/username/workspace/project --- > boot2docker: /home/docker/osx
Host: /containers/project               --- > boot2docker: /containers/project

我使用以下命令启动 Docker 容器:

docker run -t -i -p 80 -v /home/docker/osx/project/www:/var/www -v /containers/project:/host image-name /bin/bash

我的应用程序的主管配置如下:

[program:app_name]
command=uwsgi --ini /var/www/wsgi/uwsgi.ini
directory=/var/www
autostart=true
autorestart=true
stdout_logfile=/host/logs/app-name.log
redirect_stderr=True

我的usgi.ini样子是这样的:

[uwsgi]

http = :3041
chdir = /var/www
module = run.wsgi
uid = www-data
gid = 33
master = True
processes = 4
threads = 1
pidfile = /var/run/uwsgi.pid
touch-reload = /var/run/uwsgi.pid
logto = /host/logs/uwsgi.log

当我使用 Supervisorctl 运行我的应用程序时,出现以下错误:

root@4237fd060a40:/var/www# supervisorctl
app_name               FATAL      Exited too quickly (process log may have details)
supervisor> start app_name
2014-06-15 10:22:16,559 INFO spawned: 'app_name' with pid 105
2014-06-15 10:22:16,633 INFO exited: app_name (exit status 1; not expected)
2014-06-15 10:22:17,658 INFO spawned: 'app_name' with pid 106
app_name: ERROR (abnormal termination)

在 uWSGI 日志中我看到:

[uWSGI] getting INI configuration from /var/www/run/uwsgi.ini
*** Starting uWSGI 1.9.10 (64bit) on [Sun Jun 15 10:22:22 2014] ***
compiled with version: 4.6.3 on 13 June 2014 15:25:05
os: Linux-3.14.1-tinycore64 #1 SMP Mon Jun 9 16:21:23 UTC 2014
nodename: 4237fd060a40
machine: x86_64
clock source: unix
detected number of CPU cores: 4
current working directory: /var/www
writing pidfile to /var/run/uwsgi.pid
detected binary path: /usr/local/bin/uwsgi
setgid() to 33
setuid() to 33
chdir(): Permission denied [core/uwsgi.c line 2121]

运行id -g www-data表明我的 gid 是正确的并且www-data存在:

root@4237fd060a40:/var/www# id -g www-data
33

在我的docker容器中我看到的文件权限如下所示:

root@4237fd060a40:/var/www# ll
total 76
drwxr-xr-x  1 10133 10000   578 Jun 15 09:55 ./
drwxr-xr-x 30 root  root   4096 Jun 15 09:52 ../
drwxr-xr-x  1 10133 10000   714 Jun 13 10:55 some_folder/
drwxr-xr-x  1 10133 10000  1292 Jun  9 11:29 some_file.py

因此,因为我在这里看到uids 和gids,所以这些文件/文件夹的所有者是一个不存在的用户(它们与我的主机 OSX 用户名uid和匹配gid),并且我收到上述权限错误,因为该www-data用户无权写入已挂载的文件系统,我可以使用 来证明这一点su

root@4237fd060a40:/var/www# su www-data
$ pwd
/var/www
$ touch test2
touch: cannot touch `test2': Permission denied

到目前为止是有道理的,但是当我尝试以 root 身份写入文件时:

root@4237fd060a40:/var/www# touch test
root@4237fd060a40:/var/www# ll
total 76
...
-rw-r--r--  1 10133 10000     0 Jun 15 10:20 test

写入文件工作正常,甚至具有权利uidgid

因此,我期望使用这个uwsgi.ini文件以 root 身份运行 uWSGI:

[uwsgi]

http = :3041
chdir = /var/www
module = run.wsgi
uid = root
gid = 10000
master = True
processes = 4
threads = 1
pidfile = /var/run/uwsgi.pid
touch-reload = /var/run/uwsgi.pid
logto = /host/logs/uwsgi.log

或者使用这个uwsgi.ini文件作为 10133:

[uwsgi]

http = :3041
chdir = /var/www
module = run.wsgi
uid = 10133
gid = 10000
master = True
processes = 4
threads = 1
pidfile = /var/run/uwsgi.pid
touch-reload = /var/run/uwsgi.pid
logto = /host/logs/uwsgi.log

可以工作,但我没有得到任何支持:

[uWSGI] getting INI configuration from /var/www/run/uwsgi.ini
*** Starting uWSGI 1.9.10 (64bit) on [Sun Jun 15 10:30:05 2014] ***
compiled with version: 4.6.3 on 13 June 2014 15:25:05
os: Linux-3.14.1-tinycore64 #1 SMP Mon Jun 9 16:21:23 UTC 2014
nodename: 4237fd060a40
machine: x86_64
clock source: unix
detected number of CPU cores: 4
current working directory: /var/www
writing pidfile to /var/run/uwsgi.pid
detected binary path: /usr/local/bin/uwsgi
setgid() to 10000
*** WARNING: you are running uWSGI as root !!! (use the --uid flag) ***
chdir(): Permission denied [core/uwsgi.c line 2121]

[uWSGI] getting INI configuration from /var/www/run/uwsgi.ini
*** Starting uWSGI 1.9.10 (64bit) on [Sun Jun 15 10:30:36 2014] ***
compiled with version: 4.6.3 on 13 June 2014 15:25:05
os: Linux-3.14.1-tinycore64 #1 SMP Mon Jun 9 16:21:23 UTC 2014
nodename: 4237fd060a40
machine: x86_64
clock source: unix
detected number of CPU cores: 4
current working directory: /var/www
writing pidfile to /var/run/uwsgi.pid
detected binary path: /usr/local/bin/uwsgi
uWSGI running as root, you can use --uid/--gid/--chroot options
setgid() to 10000
setuid() to 10133
chdir(): Permission denied [core/uwsgi.c line 2121]

我错过了什么?

答案1

我在这里看到权限被拒绝错误,因为guid容器内不存在。

改变线路guid=10000guid=root修复它。

相关内容