为什么docker容器提示"权限被拒绝"？

Question

我使用以下命令来运行docker容器,并将目录从host(/root/database)映射到container(/tmp/install/database):

# docker run -it --name oracle_install -v /root/database:/tmp/install/database bofm/oracle12c:preinstall bash

但是在容器中,我发现我不能ls用来列出内容/tmp/install/database/但是我root拥有所有特权:

[root@77eb235aceac /]# cd /tmp/install/database/
[root@77eb235aceac database]# ls
ls: cannot open directory .: Permission denied
[root@77eb235aceac database]# id
uid=0(root) gid=0(root) groups=0(root)
[root@77eb235aceac database]# cd ..
[root@77eb235aceac install]# ls -alt
......
drwxr-xr-x. 7 root root  4096 Jul  7  2014 database

我检查/root/database主机,一切似乎都好:

[root@localhost ~]# ls -lt
......
drwxr-xr-x.  7 root root       4096 Jul  7  2014 database

为什么docker容器提示"权限被拒绝"？

更新:
根本原因与SELinux.实际上,去年我遇到了类似的问题.

Answer 1

共享目录的容器内的权限被拒绝可能是由于该共享目录存储在设备上。默认情况下，容器无法访问任何设备。添加该选项$docker run --privileged使容器可以访问所有设备并执行内核调用。这不被认为是安全的。

共享设备的一种更干净的方法是使用该选项docker run --device=/dev/sdb（如果/dev/sdb您要共享的设备）。

从手册页：

  --device=[]
      Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm)

  --privileged=true|false
      Give extended privileges to this container. The default is false.

      By default, Docker containers are “unprivileged” (=false) and cannot, for example, run a Docker daemon inside the Docker container. This is because by default  a  container is not allowed to access any devices. A “privileged” container is given access to all devices.

      When  the  operator  executes  docker run --privileged, Docker will enable access to all devices on the host as well as set some configuration in AppArmor to allow the container nearly all the same access to the host as processes running outside of a container on the host.