sbt-native-packager:Alpine Docker Image 上的 Scala 应用程序失败,权限被拒绝
Posted
技术标签:
【中文标题】sbt-native-packager:Alpine Docker Image 上的 Scala 应用程序失败,权限被拒绝【英文标题】:sbt-native-packager: Scala App on Alpine Docker Image fails with permission denied 【发布时间】:2019-09-15 00:03:18 【问题描述】:我有一个想要在 Docker 容器中运行的 Scala 应用程序。为了构建 docker 镜像,我使用了 sbt-native-packager。
我使用的基础镜像是“openjdk:8-jre-alpine”。
试过“openjdk:8-jdk-alpine” - 没有任何区别 试过 sbt-native-packager 1.3.20 - 没有任何区别project/plugins.sbt
resolvers += Resolver.typesafeRepo("releases")
addSbtPlugin("com.typesafe.sbt" % "sbt-native-packager" % "1.3.17")
build.sbt
enablePlugins(JavaAppPackaging)
mainClass in Compile := Some("MyAppClass")
enablePlugins(DockerPlugin)
dockerBaseImage := "openjdk:8-jre-alpine" // startup fails with permission denied if using alpine :-(
使用生成的图像运行容器会导致启动时出现以下错误:
docker run my-app:latest
docker: Error response from daemon: OCI runtime create failed: container_linux.go:345: starting container process caused "exec: \"/opt/docker/bin/my-app\": permission denied": unknown.
ERRO[0000] error waiting for container: context canceled
使用“openjdk:8-jre”时应用正常启动。
更新
/opt/docker/bin/my-app的内容:
#!/usr/bin/env bash
### ------------------------------- ###
### Helper methods for BASH scripts ###
### ------------------------------- ###
die()
echo "$@" 1>&2
exit 1
realpath ()
(
TARGET_FILE="$1"
CHECK_CYGWIN="$2"
cd "$(dirname "$TARGET_FILE")"
TARGET_FILE=$(basename "$TARGET_FILE")
COUNT=0
while [ -L "$TARGET_FILE" -a $COUNT -lt 100 ]
do
TARGET_FILE=$(readlink "$TARGET_FILE")
cd "$(dirname "$TARGET_FILE")"
TARGET_FILE=$(basename "$TARGET_FILE")
COUNT=$(($COUNT + 1))
done
if [ "$TARGET_FILE" == "." -o "$TARGET_FILE" == ".." ]; then
cd "$TARGET_FILE"
TARGET_FILEPATH=
else
TARGET_FILEPATH=/$TARGET_FILE
fi
# make sure we grab the actual windows path, instead of cygwin's path.
if [[ "x$CHECK_CYGWIN" == "x" ]]; then
echo "$(pwd -P)/$TARGET_FILE"
else
echo $(cygwinpath "$(pwd -P)/$TARGET_FILE")
fi
)
# TODO - Do we need to detect msys?
# Uses uname to detect if we're in the odd cygwin environment.
is_cygwin()
local os=$(uname -s)
case "$os" in
CYGWIN*) return 0 ;;
*) return 1 ;;
esac
# This can fix cygwin style /cygdrive paths so we get the
# windows style paths.
cygwinpath()
local file="$1"
if is_cygwin; then
echo $(cygpath -w $file)
else
echo $file
fi
# Make something URI friendly
make_url()
url="$1"
local nospaces=$url// /%20
if is_cygwin; then
echo "/$nospaces//\\//"
else
echo "$nospaces"
fi
# This crazy function reads in a vanilla "linux" classpath string (only : are separators, and all /),
# and returns a classpath with windows style paths, and ; separators.
fixCygwinClasspath()
OLDIFS=$IFS
IFS=":"
read -a classpath_members <<< "$1"
declare -a fixed_members
IFS=$OLDIFS
for i in "$!classpath_members[@]"
do
fixed_members[i]=$(realpath "$classpath_members[i]" "fix")
done
IFS=";"
echo "$fixed_members[*]"
IFS=$OLDIFS
# Fix the classpath we use for cygwin.
fix_classpath()
cp="$1"
if is_cygwin; then
echo "$(fixCygwinClasspath "$cp")"
else
echo "$cp"
fi
# Detect if we should use JAVA_HOME or just try PATH.
get_java_cmd()
if [[ -n "$JAVA_HOME" ]] && [[ -x "$JAVA_HOME/bin/java" ]]; then
echo "$JAVA_HOME/bin/java"
else
echo "java"
fi
echoerr ()
echo 1>&2 "$@"
vlog ()
[[ $verbose || $debug ]] && echoerr "$@"
dlog ()
[[ $debug ]] && echoerr "$@"
execRunner ()
# print the arguments one to a line, quoting any containing spaces
[[ $verbose || $debug ]] && echo "# Executing command line:" &&
for arg; do
if printf "%s\n" "$arg" | grep -q ' '; then
printf "\"%s\"\n" "$arg"
else
printf "%s\n" "$arg"
fi
done
echo ""
# we use "exec" here for our pids to be accurate.
exec "$@"
addJava ()
dlog "[addJava] arg = '$1'"
java_args+=( "$1" )
addApp ()
dlog "[addApp] arg = '$1'"
app_commands+=( "$1" )
addResidual ()
dlog "[residual] arg = '$1'"
residual_args+=( "$1" )
addDebugger ()
addJava "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=$1"
require_arg ()
local type="$1"
local opt="$2"
local arg="$3"
if [[ -z "$arg" ]] || [[ "$arg:0:1" == "-" ]]; then
die "$opt requires <$type> argument"
fi
is_function_defined()
declare -f "$1" > /dev/null
# Attempt to detect if the script is running via a GUI or not
# TODO - Determine where/how we use this generically
detect_terminal_for_ui()
[[ ! -t 0 ]] && [[ "$#residual_args" == "0" ]] &&
echo "true"
# SPECIAL TEST FOR MAC
[[ "$(uname)" == "Darwin" ]] && [[ "$HOME" == "$PWD" ]] && [[ "$#residual_args" == "0" ]] &&
echo "true"
# Processes incoming arguments and places them in appropriate global variables. called by the run method.
process_args ()
local no_more_snp_opts=0
while [[ $# -gt 0 ]]; do
case "$1" in
--) shift && no_more_snp_opts=1 && break ;;
-h|-help) usage; exit 1 ;;
-v|-verbose) verbose=1 && shift ;;
-d|-debug) debug=1 && shift ;;
-no-version-check) no_version_check=1 && shift ;;
-mem) echo "!! WARNING !! -mem option is ignored. Please use -J-Xmx and -J-Xms" && shift 2 ;;
-jvm-debug) require_arg port "$1" "$2" && addDebugger $2 && shift 2 ;;
-main) custom_mainclass="$2" && shift 2 ;;
-java-home) require_arg path "$1" "$2" && jre=`eval echo $2` && java_cmd="$jre/bin/java" && shift 2 ;;
-D*|-agentlib*|-XX*) addJava "$1" && shift ;;
-J*) addJava "$1:2" && shift ;;
*) addResidual "$1" && shift ;;
esac
done
if [[ no_more_snp_opts ]]; then
while [[ $# -gt 0 ]]; do
addResidual "$1" && shift
done
fi
is_function_defined process_my_args &&
myargs=("$residual_args[@]")
residual_args=()
process_my_args "$myargs[@]"
# Actually runs the script.
run()
# TODO - check for sane environment
# process the combined args, then reset "$@" to the residuals
process_args "$@"
set -- "$residual_args[@]"
argumentCount=$#
#check for jline terminal fixes on cygwin
if is_cygwin; then
stty -icanon min 1 -echo > /dev/null 2>&1
addJava "-Djline.terminal=jline.UnixTerminal"
addJava "-Dsbt.cygwin=true"
fi
# check java version
if [[ ! $no_version_check ]]; then
java_version_check
fi
if [ -n "$custom_mainclass" ]; then
mainclass=("$custom_mainclass")
else
mainclass=("$app_mainclass[@]")
fi
# Now we check to see if there are any java opts on the environment. These get listed first, with the script able to override them.
if [[ "$JAVA_OPTS" != "" ]]; then
java_opts="$JAVA_OPTS"
fi
# run sbt
execRunner "$java_cmd" \
$java_opts[@] \
"$java_args[@]" \
-cp "$(fix_classpath "$app_classpath")" \
"$mainclass[@]" \
"$app_commands[@]" \
"$residual_args[@]"
local exit_code=$?
if is_cygwin; then
stty icanon echo > /dev/null 2>&1
fi
exit $exit_code
# Loads a configuration file full of default command line options for this script.
loadConfigFile()
cat "$1" | sed $'/^\#/d;s/\r$//'
# Now check to see if it's a good enough version
# TODO - Check to see if we have a configured default java version, otherwise use 1.6
java_version_check()
readonly java_version=$("$java_cmd" -version 2>&1 | awk -F '"' '/version/ print $2')
if [[ "$java_version" == "" ]]; then
echo
echo No java installations was detected.
echo Please go to http://www.java.com/getjava/ and download
echo
exit 1
else
local major=$(echo "$java_version" | cut -d'.' -f1)
if [[ "$major" -eq "1" ]]; then
local major=$(echo "$java_version" | cut -d'.' -f2)
fi
if [[ "$major" -lt "6" ]]; then
echo
echo The java installation you have is not up to date
echo $app_name requires at least version 1.6+, you have
echo version $java_version
echo
echo Please go to http://www.java.com/getjava/ and download
echo a valid Java Runtime and install before running $app_name.
echo
exit 1
fi
fi
### ------------------------------- ###
### Start of customized settings ###
### ------------------------------- ###
usage()
cat <<EOM
Usage: $script_name [options]
-h | -help print this message
-v | -verbose this runner is chattier
-d | -debug set sbt log level to debug
-no-version-check Don't run the java version check.
-main <classname> Define a custom main class
-jvm-debug <port> Turn on JVM debugging, open at the given port.
# java version (default: java from PATH, currently $(java -version 2>&1 | grep version))
-java-home <path> alternate JAVA_HOME
# jvm options and output control
JAVA_OPTS environment variable, if unset uses "$java_opts"
-Dkey=val pass -Dkey=val directly to the java runtime
-J-X pass option -X directly to the java runtime
(-J is stripped)
# special option
-- To stop parsing built-in commands from the rest of the command-line.
e.g.) enabling debug and sending -d as app argument
\$ ./start-script -d -- -d
In the case of duplicated or conflicting options, basically the order above
shows precedence: JAVA_OPTS lowest, command line options highest except "--".
Available main classes:
MyAppClass
EOM
### ------------------------------- ###
### Main script ###
### ------------------------------- ###
declare -a residual_args
declare -a java_args
declare -a app_commands
declare -r real_script_path="$(realpath "$0")"
declare -r app_home="$(realpath "$(dirname "$real_script_path")")"
# TODO - Check whether this is ok in cygwin...
declare -r lib_dir="$(realpath "$app_home/../lib")"
declare -a app_mainclass=(MyAppClass)
declare -r script_conf_file="$app_home/../conf/application.ini"
declare -r app_classpath="$lib_dir/my-app-0.1.0-SNAPSHOT.jar:$lib_dir/org.scala-lang.scala-library-2.12.8.jar:$lib_dir/com.thenewmotion.ocpp.ocpp-j-api_2.12-9.0.1.jar:$lib_dir/com.thenewmotion.ocpp.ocpp-messages_2.12-9.0.1.jar:$lib_dir/com.thenewmotion.enum-utils_2.12-0.2.1.jar:$lib_dir/com.thenewmotion.ocpp.ocpp-json_2.12-9.0.1.jar:$lib_dir/org.json4s.json4s-native_2.12-3.6.1.jar:$lib_dir/org.json4s.json4s-core_2.12-3.6.1.jar:$lib_dir/org.json4s.json4s-ast_2.12-3.6.1.jar:$lib_dir/org.json4s.json4s-scalap_2.12-3.6.1.jar:$lib_dir/com.thoughtworks.paranamer.paranamer-2.8.jar:$lib_dir/org.slf4j.slf4j-api-1.7.25.jar:$lib_dir/org.java-websocket.Java-WebSocket-1.3.9.jar:$lib_dir/org.apache.logging.log4j.log4j-api-2.11.2.jar:$lib_dir/org.apache.logging.log4j.log4j-core-2.11.2.jar:$lib_dir/org.apache.logging.log4j.log4j-slf4j-impl-2.11.2.jar:$lib_dir/com.typesafe.config-1.3.4.jar"
# java_cmd is overrode in process_args when -java-home is used
declare java_cmd=$(get_java_cmd)
# if configuration files exist, prepend their contents to $@ so it can be processed by this runner
[[ -f "$script_conf_file" ]] && set -- $(loadConfigFile "$script_conf_file") "$@"
run "$@"
【问题讨论】:
什么是/opt/docker/bin/my-app?是否可执行?是脚本吗?如果是这样,请您显示它的Shebang(第一行)吗?
更新问题以包含/opt/docker/bin/my-app的内容
我认为问题出在#!/usr/bin/env bash。 Alpine 不附带bash,而是使用ash。您是否尝试过替换(例如在启动时使用“-v”)脚本并在第一行使用ash 而不是bash?
权限处理发生了一些重大变化。见dockerPermissionStrategysbt-native-packager.readthedocs.io/en/stable/formats/…
【参考方案1】:
运行 sbt 任务docker:stage。然后分析文件夹target/docker/stage中创建的输出。
就我而言,Dockerfile 包含以下内容:
FROM openjdk:11-jre-slim as stage0
WORKDIR /opt/docker
COPY opt /opt
USER root
RUN ["chmod", "-R", "u=rX,g=rX", "/opt/docker"]
RUN ["chmod", "u+x,g+x", "/opt/docker/bin/sample"]
FROM openjdk:11-jre-slim
LABEL MAINTAINER="your name"
USER root
RUN id -u demiourgos728 2> /dev/null || useradd --system --create-home --uid 1001 --gid 0 demiourgos728
WORKDIR /opt/docker
COPY --from=stage0 --chown=demiourgos728:root /opt/docker /opt/docker
EXPOSE 9000
USER 1001
ENTRYPOINT ["/opt/docker/bin/sample"]
CMD []
我遇到了无法创建 PID 文件的问题。我认为在你的情况下它会是类似的。这里没有魔法。
文件夹/opt/docker默认没有写权限。正如文档所述,您可以将以下行添加到您的 build.sbt:
dockerAdditionalPermissions += (DockerChmodType.UserGroupWriteExecute, "/opt/docker")
这将增加一行:
RUN ["chmod", "u=rwX,g=rwX", "/opt/docker"]
到stage0 容器。见nativer packager docs。
或者,通过向 JVM 传递参数来禁用 PID 文件:
bashScriptExtraDefines ++= Seq( "addJava '-Dpidfile.path=/dev/null'" )
到你的 build.sbt。 Play Production configuration Docs
【讨论】:
dockerChmodType := DockerChmodType.UserGroupWriteExecute 可以吗?以上是关于sbt-native-packager:Alpine Docker Image 上的 Scala 应用程序失败,权限被拒绝的主要内容,如果未能解决你的问题,请参考以下文章
扩展 sbt-native-packager (Docker)
发布 sbt-native-packager 创建的 zip