sbt-native-packager:Alpine Docker Image 上的 Scala 应用程序失败,权限被拒绝

Posted

技术标签:

【中文标题】sbt-native-packager:Alpine Docker Image 上的 Scala 应用程序失败,权限被拒绝【英文标题】:sbt-native-packager: Scala App on Alpine Docker Image fails with permission denied 【发布时间】:2019-09-15 00:03:18 【问题描述】:

我有一个想要在 Docker 容器中运行的 Scala 应用程序。为了构建 docker 镜像,我使用了 sbt-native-packager。

我使用的基础镜像是“openjdk:8-jre-alpine”。

试过“openjdk:8-jdk-alpine” - 没有任何区别 试过 sbt-native-packager 1.3.20 - 没有任何区别

project/plugins.sbt

resolvers += Resolver.typesafeRepo("releases")
addSbtPlugin("com.typesafe.sbt" % "sbt-native-packager" % "1.3.17")

build.sbt

enablePlugins(JavaAppPackaging)
mainClass in Compile := Some("MyAppClass")

enablePlugins(DockerPlugin)
dockerBaseImage := "openjdk:8-jre-alpine" // startup fails with permission denied if using alpine :-(

使用生成的图像运行容器会导致启动时出现以下错误:

docker run my-app:latest
docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "exec: \"/opt/docker/bin/my-app\": permission denied": unknown.
ERRO[0000] error waiting for container: context canceled 

使用“openjdk:8-jre”时应用正常启动。

更新

/opt/docker/bin/my-app的内容:

#!/usr/bin/env bash

###  ------------------------------- ###
###  Helper methods for BASH scripts ###
###  ------------------------------- ###

die() 
  echo "$@" 1>&2
  exit 1


realpath () 
(
  TARGET_FILE="$1"
  CHECK_CYGWIN="$2"

  cd "$(dirname "$TARGET_FILE")"
  TARGET_FILE=$(basename "$TARGET_FILE")

  COUNT=0
  while [ -L "$TARGET_FILE" -a $COUNT -lt 100 ]
  do
      TARGET_FILE=$(readlink "$TARGET_FILE")
      cd "$(dirname "$TARGET_FILE")"
      TARGET_FILE=$(basename "$TARGET_FILE")
      COUNT=$(($COUNT + 1))
  done

  if [ "$TARGET_FILE" == "." -o "$TARGET_FILE" == ".." ]; then
    cd "$TARGET_FILE"
    TARGET_FILEPATH=
  else
    TARGET_FILEPATH=/$TARGET_FILE
  fi

  # make sure we grab the actual windows path, instead of cygwin's path.
  if [[ "x$CHECK_CYGWIN" == "x" ]]; then
    echo "$(pwd -P)/$TARGET_FILE"
  else
    echo $(cygwinpath "$(pwd -P)/$TARGET_FILE")
  fi
)


# TODO - Do we need to detect msys?

# Uses uname to detect if we're in the odd cygwin environment.
is_cygwin() 
  local os=$(uname -s)
  case "$os" in
    CYGWIN*) return 0 ;;
    *)  return 1 ;;
  esac


# This can fix cygwin style /cygdrive paths so we get the
# windows style paths.
cygwinpath() 
  local file="$1"
  if is_cygwin; then
    echo $(cygpath -w $file)
  else
    echo $file
  fi


# Make something URI friendly
make_url() 
  url="$1"
  local nospaces=$url// /%20
  if is_cygwin; then
    echo "/$nospaces//\\//"
  else
    echo "$nospaces"
  fi


# This crazy function reads in a vanilla "linux" classpath string (only : are separators, and all /),
# and returns a classpath with windows style paths, and ; separators.
fixCygwinClasspath() 
  OLDIFS=$IFS
  IFS=":"
  read -a classpath_members <<< "$1"
  declare -a fixed_members
  IFS=$OLDIFS
  for i in "$!classpath_members[@]"
  do
    fixed_members[i]=$(realpath "$classpath_members[i]" "fix")
  done
  IFS=";"
  echo "$fixed_members[*]"
  IFS=$OLDIFS


# Fix the classpath we use for cygwin.
fix_classpath() 
  cp="$1"
  if is_cygwin; then
    echo "$(fixCygwinClasspath "$cp")"
  else
    echo "$cp"
  fi

# Detect if we should use JAVA_HOME or just try PATH.
get_java_cmd() 
  if [[ -n "$JAVA_HOME" ]] && [[ -x "$JAVA_HOME/bin/java" ]];  then
    echo "$JAVA_HOME/bin/java"
  else
    echo "java"
  fi


echoerr () 
  echo 1>&2 "$@"

vlog () 
  [[ $verbose || $debug ]] && echoerr "$@"

dlog () 
  [[ $debug ]] && echoerr "$@"

execRunner () 
  # print the arguments one to a line, quoting any containing spaces
  [[ $verbose || $debug ]] && echo "# Executing command line:" && 
    for arg; do
      if printf "%s\n" "$arg" | grep -q ' '; then
        printf "\"%s\"\n" "$arg"
      else
        printf "%s\n" "$arg"
      fi
    done
    echo ""
  

  # we use "exec" here for our pids to be accurate.
  exec "$@"

addJava () 
  dlog "[addJava] arg = '$1'"
  java_args+=( "$1" )

addApp () 
  dlog "[addApp] arg = '$1'"
  app_commands+=( "$1" )

addResidual () 
  dlog "[residual] arg = '$1'"
  residual_args+=( "$1" )

addDebugger () 
  addJava "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=$1"


require_arg () 
  local type="$1"
  local opt="$2"
  local arg="$3"
  if [[ -z "$arg" ]] || [[ "$arg:0:1" == "-" ]]; then
    die "$opt requires <$type> argument"
  fi

is_function_defined() 
  declare -f "$1" > /dev/null


# Attempt to detect if the script is running via a GUI or not
# TODO - Determine where/how we use this generically
detect_terminal_for_ui() 
  [[ ! -t 0 ]] && [[ "$#residual_args" == "0" ]] && 
    echo "true"
  
  # SPECIAL TEST FOR MAC
  [[ "$(uname)" == "Darwin" ]] && [[ "$HOME" == "$PWD" ]] && [[ "$#residual_args" == "0" ]] && 
    echo "true"
  


# Processes incoming arguments and places them in appropriate global variables.  called by the run method.
process_args () 
  local no_more_snp_opts=0
  while [[ $# -gt 0 ]]; do
    case "$1" in
             --) shift && no_more_snp_opts=1 && break ;;
       -h|-help) usage; exit 1 ;;
    -v|-verbose) verbose=1 && shift ;;
      -d|-debug) debug=1 && shift ;;

    -no-version-check) no_version_check=1 && shift ;;

           -mem) echo "!! WARNING !! -mem option is ignored. Please use -J-Xmx and -J-Xms" && shift 2 ;;
     -jvm-debug) require_arg port "$1" "$2" && addDebugger $2 && shift 2 ;;

          -main) custom_mainclass="$2" && shift 2 ;;

     -java-home) require_arg path "$1" "$2" && jre=`eval echo $2` && java_cmd="$jre/bin/java" && shift 2 ;;

 -D*|-agentlib*|-XX*) addJava "$1" && shift ;;
                 -J*) addJava "$1:2" && shift ;;
                   *) addResidual "$1" && shift ;;
    esac
  done

  if [[ no_more_snp_opts ]]; then
    while [[ $# -gt 0 ]]; do
      addResidual "$1" && shift
    done
  fi

  is_function_defined process_my_args && 
    myargs=("$residual_args[@]")
    residual_args=()
    process_my_args "$myargs[@]"
  


# Actually runs the script.
run() 
  # TODO - check for sane environment

  # process the combined args, then reset "$@" to the residuals
  process_args "$@"
  set -- "$residual_args[@]"
  argumentCount=$#

  #check for jline terminal fixes on cygwin
  if is_cygwin; then
    stty -icanon min 1 -echo > /dev/null 2>&1
    addJava "-Djline.terminal=jline.UnixTerminal"
    addJava "-Dsbt.cygwin=true"
  fi

  # check java version
  if [[ ! $no_version_check ]]; then
    java_version_check
  fi

  if [ -n "$custom_mainclass" ]; then
    mainclass=("$custom_mainclass")
  else
    mainclass=("$app_mainclass[@]")
  fi

  # Now we check to see if there are any java opts on the environment. These get listed first, with the script able to override them.
  if [[ "$JAVA_OPTS" != "" ]]; then
    java_opts="$JAVA_OPTS"
  fi

  # run sbt
  execRunner "$java_cmd" \
    $java_opts[@] \
    "$java_args[@]" \
    -cp "$(fix_classpath "$app_classpath")" \
    "$mainclass[@]" \
    "$app_commands[@]" \
    "$residual_args[@]"

  local exit_code=$?
  if is_cygwin; then
    stty icanon echo > /dev/null 2>&1
  fi
  exit $exit_code


# Loads a configuration file full of default command line options for this script.
loadConfigFile() 
  cat "$1" | sed $'/^\#/d;s/\r$//'


# Now check to see if it's a good enough version
# TODO - Check to see if we have a configured default java version, otherwise use 1.6
java_version_check() 
  readonly java_version=$("$java_cmd" -version 2>&1 | awk -F '"' '/version/ print $2')
  if [[ "$java_version" == "" ]]; then
    echo
    echo No java installations was detected.
    echo Please go to http://www.java.com/getjava/ and download
    echo
    exit 1
  else
    local major=$(echo "$java_version" | cut -d'.' -f1)
    if [[ "$major" -eq "1" ]]; then
     local major=$(echo "$java_version" | cut -d'.' -f2)
    fi
    if [[ "$major" -lt "6" ]]; then
      echo
      echo The java installation you have is not up to date
      echo $app_name requires at least version 1.6+, you have
      echo version $java_version
      echo
      echo Please go to http://www.java.com/getjava/ and download
      echo a valid Java Runtime and install before running $app_name.
      echo
      exit 1
    fi
  fi


###  ------------------------------- ###
###  Start of customized settings    ###
###  ------------------------------- ###
usage() 
 cat <<EOM
Usage: $script_name [options]

  -h | -help         print this message
  -v | -verbose      this runner is chattier
  -d | -debug        set sbt log level to debug
  -no-version-check  Don't run the java version check.
  -main <classname>  Define a custom main class
  -jvm-debug <port>  Turn on JVM debugging, open at the given port.

  # java version (default: java from PATH, currently $(java -version 2>&1 | grep version))
  -java-home <path>         alternate JAVA_HOME

  # jvm options and output control
  JAVA_OPTS          environment variable, if unset uses "$java_opts"
  -Dkey=val          pass -Dkey=val directly to the java runtime
  -J-X               pass option -X directly to the java runtime
                     (-J is stripped)

  # special option
  --                 To stop parsing built-in commands from the rest of the command-line.
                     e.g.) enabling debug and sending -d as app argument
                     \$ ./start-script -d -- -d

In the case of duplicated or conflicting options, basically the order above
shows precedence: JAVA_OPTS lowest, command line options highest except "--".
Available main classes:
        MyAppClass
EOM


###  ------------------------------- ###
###  Main script                     ###
###  ------------------------------- ###

declare -a residual_args
declare -a java_args
declare -a app_commands
declare -r real_script_path="$(realpath "$0")"

declare -r app_home="$(realpath "$(dirname "$real_script_path")")"
# TODO - Check whether this is ok in cygwin...
declare -r lib_dir="$(realpath "$app_home/../lib")"
declare -a app_mainclass=(MyAppClass)

declare -r script_conf_file="$app_home/../conf/application.ini"
declare -r app_classpath="$lib_dir/my-app-0.1.0-SNAPSHOT.jar:$lib_dir/org.scala-lang.scala-library-2.12.8.jar:$lib_dir/com.thenewmotion.ocpp.ocpp-j-api_2.12-9.0.1.jar:$lib_dir/com.thenewmotion.ocpp.ocpp-messages_2.12-9.0.1.jar:$lib_dir/com.thenewmotion.enum-utils_2.12-0.2.1.jar:$lib_dir/com.thenewmotion.ocpp.ocpp-json_2.12-9.0.1.jar:$lib_dir/org.json4s.json4s-native_2.12-3.6.1.jar:$lib_dir/org.json4s.json4s-core_2.12-3.6.1.jar:$lib_dir/org.json4s.json4s-ast_2.12-3.6.1.jar:$lib_dir/org.json4s.json4s-scalap_2.12-3.6.1.jar:$lib_dir/com.thoughtworks.paranamer.paranamer-2.8.jar:$lib_dir/org.slf4j.slf4j-api-1.7.25.jar:$lib_dir/org.java-websocket.Java-WebSocket-1.3.9.jar:$lib_dir/org.apache.logging.log4j.log4j-api-2.11.2.jar:$lib_dir/org.apache.logging.log4j.log4j-core-2.11.2.jar:$lib_dir/org.apache.logging.log4j.log4j-slf4j-impl-2.11.2.jar:$lib_dir/com.typesafe.config-1.3.4.jar"

# java_cmd is overrode in process_args when -java-home is used
declare java_cmd=$(get_java_cmd)

# if configuration files exist, prepend their contents to $@ so it can be processed by this runner
[[ -f "$script_conf_file" ]] && set -- $(loadConfigFile "$script_conf_file") "$@"

run "$@"

【问题讨论】:

什么是/opt/docker/bin/my-app?是否可执行?是脚本吗?如果是这样,请您显示它的Shebang(第一行)吗? 更新问题以包含/opt/docker/bin/my-app的内容 我认为问题出在#!/usr/bin/env bash。 Alpine 不附带bash,而是使用ash。您是否尝试过替换(例如在启动时使用“-v”)脚本并在第一行使用ash 而不是bash 权限处理发生了一些重大变化。见dockerPermissionStrategysbt-native-packager.readthedocs.io/en/stable/formats/… 【参考方案1】:

运行 sbt 任务docker:stage。然后分析文件夹target/docker/stage中创建的输出。

就我而言,Dockerfile 包含以下内容:

FROM openjdk:11-jre-slim as stage0
WORKDIR /opt/docker
COPY opt /opt
USER root
RUN ["chmod", "-R", "u=rX,g=rX", "/opt/docker"]
RUN ["chmod", "u+x,g+x", "/opt/docker/bin/sample"]

FROM openjdk:11-jre-slim
LABEL MAINTAINER="your name"
USER root
RUN id -u demiourgos728 2> /dev/null || useradd --system --create-home --uid 1001 --gid 0 demiourgos728
WORKDIR /opt/docker
COPY --from=stage0 --chown=demiourgos728:root /opt/docker /opt/docker
EXPOSE 9000
USER 1001
ENTRYPOINT ["/opt/docker/bin/sample"]
CMD []

我遇到了无法创建 PID 文件的问题。我认为在你的情况下它会是类似的。这里没有魔法。

文件夹/opt/docker默认没有写权限。正如文档所述,您可以将以下行添加到您的 build.sbt

dockerAdditionalPermissions += (DockerChmodType.UserGroupWriteExecute, "/opt/docker")

这将增加一行:

RUN ["chmod", "u=rwX,g=rwX", "/opt/docker"]

stage0 容器。见nativer packager docs。

或者,通过向 JVM 传递参数来禁用 PID 文件:

bashScriptExtraDefines ++= Seq( "addJava '-Dpidfile.path=/dev/null'" )

到你的 build.sbt。 Play Production configuration Docs

【讨论】:

dockerChmodType := DockerChmodType.UserGroupWriteExecute 可以吗?

以上是关于sbt-native-packager:Alpine Docker Image 上的 Scala 应用程序失败,权限被拒绝的主要内容,如果未能解决你的问题,请参考以下文章

在 sbt-native-packager 中过滤映射

扩展 sbt-native-packager (Docker)

使用 sbt-native-packager 时的模糊参考

发布 sbt-native-packager 创建的 zip

如何使用 sbt-native-packager 设置 Docker Registry

任何使用 sbt-native-packager 的好例子