问题
Here's my problem: I want to build a chroot environment inside a docker container. The problem is that debootstrap cannot run, because it cannot mount proc in the chroot:
W: Failure trying to run: chroot /var/chroot mount -t proc proc /proc
(in the log the problem turns out to be: mount: permission denied)
If I run --privileged the container, it (of course) works...
I'd really really really like to debootstrap the chroot in the Dockerfile (much much cleaner). Is there a way I can get it to work?
Thanks a lot!
回答1:
No, this is not currently possible.
Issue #1916 (which concerns running privileged operations during docker build) is still an open issue. There was discussion at one point of adding a command-line flag and RUNP command but neither of these have been implemented.
回答2:
You could use the fakechroot variant of debootstrap, like this:
fakechroot fakeroot debootstrap --variant=fakechroot ...
Cheers!
回答3:
Adding --cap-add=SYS_ADMIN --security-opt apparmor:unconfined to the docker run command works for me.
See moby/moby issue 16429
回答4:
Short answer, without privileged mode no there isn't a way.
Docker is targeted at micro-services and is not a drop in replacement for virtual machines. Having multiple installations in one container definitely not congruent with that. Why not use multiple docker containers instead?
回答5:
This still doesn't work (2018-05-31).
Currently the only option is debootstrap followed by docker import - Import from a local directory
# mkdir /path/to/target
# debootstrap bionic /path/to/target
# tar -C /path/to/target -c . | docker import - ubuntu:bionic
回答6:
There is a fun workaround, but it involves running Docker twice.
The first time, using a standard docker image like ubuntu:latest, only run the first stage of debootstrap by using the --foreign option.
debootstrap --foreign bionic /path/to/target
Then don't let it do anything that would require privileged and isn't needed anyway by modifying the functions that will be used in the second stage.
sed -i '/setup_devices ()/a return 0' /path/to/target/debootstrap/functions
sed -i '/setup_proc ()/a return 0' /path/to/target/functions
The last step for that docker run is to have that docker execution tar itself up to a directory that is included as a volume.
tar --exclude='dev/*' -cvf /guestpath/to/volume/rootfs.tar -C /path/to/target .
Ok, now prep for a second run. First load your tar file as a docker image.
cat /hostpath/to/volume/rootfs.tar | docker import - my_image:latest
Then, run docker using FROM my_image:latest and run the second debootstrap stage.
/debootstrap/debootstrap --second-stage
That might be obtuse, but it does work without requiring --priveledged. You are effectively replacing running chroot with running a 2nd docker container.
来源:https://stackoverflow.com/questions/26406048/debootstrap-inside-a-docker-container