docker映射本地目录到jenkins_home后docker logs jenkins报权限问题解决笔记

霍格沃兹答疑区 环境配置
1 
1.拉取镜像并启动容器
docker run -d --name myjenkins -p 8081:8080 -v $(pwd)/data:/var/jenkins_home jenkins/jenkins
2.通过docker ps命令查看容器并没有运行起来
3.docker logs myjenkins 报错信息如下:
touch: cannot touch ‘/var/jenkins_home/copy_reference_file.log’: Permission denied
Can not write to /var/jenkins_home/copy_reference_file.log. Wrong volume permissions?
分析:
我们检查一下之前启动方式的"/var/jenkins_home"目录权限,查看Jenkins容器的当前用户: 当前用户是"jenkins"而且"/var/jenkins_home"目录是属于jenkins用户拥有的

docker run -ti --rm --entrypoint="/bin/bash" jenkins -c "whoami && id"
控制台输出:
![image|800x39](upload://Af0xmohinF89tJLT4lK0Q2UDUKi.png) 

docker run -ti --rm --entrypoint="/bin/bash" jenkins -c "ls -la /var/jenkins_home"
控制台输出:
![image|800x57](upload://2O5fUKK4fZygkDIxJ8a375AZziE.png) 

而当映射本地数据卷时,/var/jenkins_home目录的拥有者变成了root用户
docker run -ti --rm -v $(pwd)/data:/var/jenkins_home --entrypoint="/bin/bash" jenkins -c "ls -la /var/jenkins_home"
控制台输出
![image|532x65](upload://adjuSRLXmzSz5v3W1LZxPhDYK9H.png) 

这就解释了为什么当"jenkins"用户的进程访问"/var/jenkins_home"目录时,会出现 Permission denied 的问题
我们再检查一下宿主机上的数据卷目录,当前路径下"jenkins_data"目录的拥有者是"root"
ls -la ./jenkins_data
控制台输出:
![image|466x62](upload://L7dqtn5Xxkr2eKICyzM2Ck2E5K.png) 

发现问题之后,相应的解决方法也很简单:把当前目录的拥有者赋值给uid 1000,再启动"jenkins"容器就一切正常了。
递归授权并再次启动jenkins
sudo chown -R 1000 ./jenkins_data
docker start Jenkins

重点来啦:
如果以上步骤还是解决不了权限问题,那么可以检查一下selinux状态,selinux开启的情况下会导致一些服务安装、使用不成功。
查看selinux状态,
[root@localhost ~]# sestatus  
SELinux status:                 enabled  
SELinuxfs mount:                /sys/fs/selinux  
SELinux root directory:         /etc/selinux  
Loaded policy name:             targeted  
Current mode:                   enforcing  
Mode from config file:          enforcing  
Policy MLS status:              enabled  
Policy deny_unknown status:     allowed  
Max kernel policy version:      28

临时关闭,
[root@localhost ~]# setenforce 0
1

永久关闭,可以修改配置文件/etc/selinux/config,将其中SELINUX设置为disabled,如下,
[root@localhost ~]# cat /etc/selinux/config   
# This file controls the state of SELinux on the system.  
# SELINUX= can take one of these three values:  
#     enforcing - SELinux security policy is enforced.  
#     permissive - SELinux prints warnings instead of enforcing.  
#     disabled - No SELinux policy is loaded.  
#SELINUX=enforcing  
SELINUX=disabled  
# SELINUXTYPE= can take one of three two values:  
#     targeted - Targeted processes are protected,  
#     minimum - Modification of targeted policy. Only selected processes are protected.   
#     mls - Multi Level Security protection.  
SELINUXTYPE=targeted

[root@rdo ~]# sestatus  
SELinux status:                 disabled

之后再次运行jenkins容器,jenkins_home目录顺利映射到本地指定的文件夹
2

你启动的时候挂载的目录是你运行命令时的当前目录下的data文件夹,那么这个文件夹的权限是不是不太对导致docker不能写入?

3

问题已经解决了,我就是记个笔记 :grin:

4

:+1: