blocks|key|5350262|text|您可以使用debootstrap的fakechroot变量，如下所示：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|5350263|fakechroot+fakeroot+debootstrap+--variant=fakechroot+...|code-block|syntax|javascript|5350264|干杯!|5350265|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|L|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|M|8|@]|9|@]|A|$]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

You could use the fakechroot variant of debootstrap, like this:

<pre><code>fakechroot fakeroot debootstrap --variant=fakechroot ...
</code></pre>

Cheers!

blocks|key|325647|text|不，这目前是不可能的。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|325648|Issue+#1916+(涉及在docker+build期间运行特权操作)仍然是一个悬而未决的问题。曾经讨论过添加命令行标志和RUNP命令，但这两个都没有实现。|offset|length|style|CODE|325649|entityMap|0|LINK|mutability|MUTABLE|url|https://github.com/docker/docker/issues/1916^0|0|G|C|1R|4|0|B|0|0^^$0|@$1|2|3|4|5|6|7|P|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Q|8|@$D|R|E|S|F|G]|$D|T|E|U|F|G]]|9|@$D|V|E|W|1|X]]|A|$]]|$1|H|3|-4|5|6|7|Y|8|@]|9|@]|A|$]]]|I|$J|$5|K|L|M|A|$N|O]]]]

No, this is not currently possible.

<a href="https://github.com/docker/docker/issues/1916" rel="noreferrer">Issue #1916</a> (which concerns running privileged operations during <code>docker build</code>) is still an open issue. There was discussion at one point of adding a command-line flag and <code>RUNP</code> command but neither of these have been implemented.

blocks|key|2239476|text|在docker+run命令中添加--cap-add=SYS_ADMIN+--security-opt+apparmor:unconfined对我来说很有效。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|2239477|请参阅moby/moby+issue+16429|2239478|entityMap|0|LINK|mutability|MUTABLE|url|https://github.com/moby/moby/issues/16429^0|1|A|G|1I|0|3|L|0|0^^$0|@$1|2|3|4|5|6|7|P|8|@$9|Q|A|R|B|C]|$9|S|A|T|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|U|8|@]|D|@$9|V|A|W|1|X]]|E|$]]|$1|H|3|-4|5|6|7|Y|8|@]|D|@]|E|$]]]|I|$J|$5|K|L|M|E|$N|O]]]]

Adding <code>--cap-add=SYS_ADMIN --security-opt apparmor:unconfined</code> to the <code>docker run</code> command works for me. 

See <a href="https://github.com/moby/moby/issues/16429" rel="nofollow noreferrer">moby/moby issue 16429</a>

blocks|key|325682|text|这仍然不起作用(2018-05-31)。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|325683|目前，唯一的选项是debootstrap，然后是docker+import+-+Import+from+a+local+directory|offset|length|style|CODE|325684|#+mkdir+/path/to/target
#+debootstrap+bionic+/path/to/target
#+tar+-C+/path/to/target+-c+.+%7C+docker+import+-+ubuntu:bionic|code-block|syntax|javascript|325685|entityMap|0|LINK|mutability|MUTABLE|url|https://docs.docker.com/engine/reference/commandline/import/#import-from-a-local-directory^0|0|9|B|O|D|O|19|0|0|0^^$0|@$1|2|3|4|5|6|7|U|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|V|8|@$D|W|E|X|F|G]|$D|Y|E|Z|F|G]]|9|@$D|10|E|11|1|12]]|A|$]]|$1|H|3|I|5|J|7|13|8|@]|9|@]|A|$K|L]]|$1|M|3|-4|5|6|7|14|8|@]|9|@]|A|$]]]|N|$O|$5|P|Q|R|A|$S|T]]]]

This still doesn't work (2018-05-31).

Currently the only option is <code>debootstrap</code> followed by <a href="https://docs.docker.com/engine/reference/commandline/import/#import-from-a-local-directory" rel="nofollow noreferrer"><code>docker import</code> - Import from a local directory</a>

<pre><code># mkdir /path/to/target
# debootstrap bionic /path/to/target
# tar -C /path/to/target -c . | docker import - ubuntu:bionic
</code></pre>

blocks|key|5350433|text|自Debian+10+Buster+(2019年7月)起或在Debian+9+Stretch-Backports中提供的Debian版1.0.107具有原生support+for+Docker，允许在不需要特权的情况下构建Debian根镜像。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|5350434|5350435|Dockerfile|unordered-list-item|5350436|5350437|FROM+debian:buster-slim+AS+builder
RUN+apt-get+-qq+update+\
&&+apt-get+-q+install+--assume-yes+debootstrap
ARG+MIRROR=http://deb.debian.org/debian
ARG+SUITE=sid
RUN+debootstrap+--variant=minbase+"$SUITE"+/work+"$MIRROR"
RUN+chroot+/work+apt-get+-q+clean

FROM+scratch
COPY+--from=builder+/work+/
CMD+["bash"]|code-block|syntax|javascript|5350438|5350439|docker+build+-t+my-debian+.|5350440|docker+build+-t+my-debian:bullseye+--build-arg+SUITE=bullseye+.|5350441|5350442|entityMap|0|LINK|mutability|MUTABLE|url|https://packages.debian.org/source/buster/debootstrap|1|https://packages.debian.org/source/stretch-backports/debootstrap|2|https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890867^0|1V|7|1|G|0|U|Q|1|26|I|2|0|0|0|A|0|0|0|0|0|R|0|0|1R|0|0^^$0|@$1|2|3|4|5|6|7|17|8|@$9|18|A|19|B|C]]|D|@$9|1A|A|1B|1|1C]|$9|1D|A|1E|1|1F]|$9|1G|A|1H|1|1I]]|E|$]]|$1|F|3|-4|5|6|7|1J|8|@]|D|@]|E|$]]|$1|G|3|H|5|I|7|1K|8|@$9|1L|A|1M|B|C]]|D|@]|E|$]]|$1|J|3|-4|5|6|7|1N|8|@]|D|@]|E|$]]|$1|K|3|L|5|M|7|1O|8|@]|D|@]|E|$N|O]]|$1|P|3|-4|5|6|7|1P|8|@]|D|@]|E|$]]|$1|Q|3|R|5|I|7|1Q|8|@$9|1R|A|1S|B|C]]|D|@]|E|$]]|$1|S|3|T|5|I|7|1T|8|@$9|1U|A|1V|B|C]]|D|@]|E|$]]|$1|U|3|-4|5|6|7|1W|8|@]|D|@]|E|$]]|$1|V|3|-4|5|6|7|1X|8|@]|D|@]|E|$]]]|W|$X|$5|Y|Z|10|E|$11|12]]|13|$5|Y|Z|10|E|$11|14]]|15|$5|Y|Z|10|E|$11|16]]]]

<code>debootstrap</code> version <code>1.0.107</code>, which is available since <a href="https://packages.debian.org/source/buster/debootstrap" rel="nofollow noreferrer">Debian 10 Buster</a> (July 2019) or in <a href="https://packages.debian.org/source/stretch-backports/debootstrap" rel="nofollow noreferrer">Debian 9 Stretch-Backports</a> has native <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890867" rel="nofollow noreferrer">support for Docker</a> and allows building a Debian root image without requiring privileges.
<ul>
<li><code>Dockerfile</code>:</li>
</ul>
<pre><code>FROM debian:buster-slim AS builder
RUN apt-get -qq update \
&amp;&amp; apt-get -q install --assume-yes debootstrap
ARG MIRROR=http://deb.debian.org/debian
ARG SUITE=sid
RUN debootstrap --variant=minbase &quot;$SUITE&quot; /work &quot;$MIRROR&quot;
RUN chroot /work apt-get -q clean

FROM scratch
COPY --from=builder /work /
CMD [&quot;bash&quot;]
</code></pre>
<ul>
<li><code>docker build -t my-debian .</code></li>
<li><code>docker build -t my-debian:bullseye --build-arg SUITE=bullseye .</code></li>
</ul>

blocks|key|5350391|text|有一个有趣的解决方法，但它涉及运行Docker两次。第一次使用像ubuntu:latest这样的标准docker镜像时，只使用--foreign选项运行debootstrap的第一个阶段。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|5350392|debootstrap+--foreign+bionic+/path/to/target|5350393|然后，不要让它通过修改将在第二阶段中使用的函数来执行任何需要特权且根本不需要的操作。|5350394|sed+-i+'/setup_devices+()/a+return+0'+/path/to/target/debootstrap/functions
sed+-i+'/setup_proc+()/a+return+0'+/path/to/target/functions|code-block|syntax|javascript|5350395|该docker运行的最后一步是让docker执行tar本身到一个作为卷包含的目录中。|5350396|tar+--exclude='dev/*'+-cvf+/guestpath/to/volume/rootfs.tar+-C+/path/to/target+.|5350397|好的，现在准备第二次运行。首先，将tar文件作为docker镜像加载。|5350398|cat+/hostpath/to/volume/rootfs.tar+%7C+docker+import+-+my_image:latest|5350399|然后，使用FROM+my_image:latest运行docker并运行第二个debootstrap阶段。|5350400|/debootstrap/debootstrap+--second-stage|5350401|这可能很迟钝，但它不需要--priveledged就可以工作。您实际上是在用运行第二个docker容器替换正在运行的chroot。|5350402|entityMap^0|W|D|1R|9|0|0|18|0|0|0|0|0|27|0|0|0|1W|0|5|K|0|0|13|0|C|D|1M|6|0^^$0|@$1|2|3|4|5|6|7|14|8|@$9|15|A|16|B|C]|$9|17|A|18|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|19|8|@$9|1A|A|1B|B|C]]|D|@]|E|$]]|$1|H|3|I|5|6|7|1C|8|@]|D|@]|E|$]]|$1|J|3|K|5|L|7|1D|8|@]|D|@]|E|$M|N]]|$1|O|3|P|5|6|7|1E|8|@]|D|@]|E|$]]|$1|Q|3|R|5|6|7|1F|8|@$9|1G|A|1H|B|C]]|D|@]|E|$]]|$1|S|3|T|5|6|7|1I|8|@]|D|@]|E|$]]|$1|U|3|V|5|6|7|1J|8|@$9|1K|A|1L|B|C]]|D|@]|E|$]]|$1|W|3|X|5|6|7|1M|8|@$9|1N|A|1O|B|C]]|D|@]|E|$]]|$1|Y|3|Z|5|6|7|1P|8|@$9|1Q|A|1R|B|C]]|D|@]|E|$]]|$1|10|3|11|5|6|7|1S|8|@$9|1T|A|1U|B|C]|$9|1V|A|1W|B|C]]|D|@]|E|$]]|$1|12|3|-4|5|6|7|1X|8|@]|D|@]|E|$]]]|13|$]]

There is a fun workaround, but it involves running Docker twice.
The first time, using a standard docker image like <code>ubuntu:latest</code>, only run the first stage of debootstrap by using the <code>--foreign</code> option.

<code>debootstrap --foreign bionic /path/to/target</code>

Then don't let it do anything that would require privileged and isn't needed anyway by modifying the functions that will be used in the second stage.

<pre><code>sed -i '/setup_devices ()/a return 0' /path/to/target/debootstrap/functions
sed -i '/setup_proc ()/a return 0' /path/to/target/functions
</code></pre>

The last step for that docker run is to have that docker execution tar itself up to a directory that is included as a volume.

<code>tar --exclude='dev/*' -cvf /guestpath/to/volume/rootfs.tar -C /path/to/target .</code>

Ok, now prep for a second run. First load your tar file as a docker image.

<code>cat /hostpath/to/volume/rootfs.tar | docker import - my_image:latest</code>

Then, run docker using <code>FROM my_image:latest</code> and run the second debootstrap stage.

<code>/debootstrap/debootstrap --second-stage</code>

That might be obtuse, but it does work without requiring <code>--priveledged</code>. You are effectively replacing running <code>chroot</code> with running a 2nd docker container.

blocks|key|3238273|text|这没有解决在没有--privileged集的容器中执行chroot的OP要求，但它是一种可能有用的替代方法。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|3238274|有关异类rootfs构建的信息，请参阅Docker+Moby。它创建了一个本地临时目录，并使用需要sudo的debootstrap在其中创建了一个rootfs。然后，它使用以下命令创建docker图像|3238275|FROM+scratch
ADD+rootfs.tar.xz+/
CMD+["/bin/bash"]|code-block|syntax|javascript|3238276|这是在docker镜像中运行预制rootfs的常用方法。镜像构建完成后，不需要特殊权限。它得到了docker+devel团队的支持。|3238277|entityMap|0|LINK|mutability|MUTABLE|url|https://github.com/moby/moby^0|8|C|R|6|0|1I|B|J|B|0|0|0|0^^$0|@$1|2|3|4|5|6|7|W|8|@$9|X|A|Y|B|C]|$9|Z|A|10|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|11|8|@$9|12|A|13|B|C]]|D|@$9|14|A|15|1|16]]|E|$]]|$1|H|3|I|5|J|7|17|8|@]|D|@]|E|$K|L]]|$1|M|3|N|5|6|7|18|8|@]|D|@]|E|$]]|$1|O|3|-4|5|6|7|19|8|@]|D|@]|E|$]]]|P|$Q|$5|R|S|T|E|$U|V]]]]

This does not address the OP requirements for doing <code>chroot</code> in a container without <code>--privileged</code> set, but it is an alternative method that may be of use.
See <a href="https://github.com/moby/moby" rel="nofollow noreferrer">Docker Moby</a> for hetergenous rootfs builds. It creates a native temp directory and creates a rootfs in it using <code>debootstrap</code> which needs sudo. THEN it creates a docker image using
<pre><code>FROM scratch
ADD rootfs.tar.xz /
CMD [&quot;/bin/bash&quot;]
</code></pre>
This is a common recipe for running a pre-made rootfs in a docker image. Once the image is built, it does not need special permissions. AND it's supported by the docker devel team.

blocks|key|325597|text|简而言之，没有特权模式就没有办法。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|325598|Docker的目标是微服务，而不是虚拟机的替代品。在一个容器中有多个安装肯定不符合这一点。为什么不使用多个docker容器呢？|325599|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

Short answer, without privileged mode no there isn't a way. 

Docker is targeted at micro-services and is not a drop in replacement for virtual machines. Having multiple installations in one container definitely not congruent with that. Why not use multiple docker containers instead?

Here's my problem: I want to build a chroot environment inside a docker container. The problem is that debootstrap cannot run, because it cannot mount proc in the chroot:

<code>W: Failure trying to run: chroot /var/chroot mount -t proc proc /proc</code>

(in the log the problem turns out to be: <code>mount: permission denied</code>)

If I <code>run --privileged</code> the container, it (of course) works...
I'd really really really like to debootstrap the chroot in the Dockerfile (much much cleaner). Is there a way I can get it to work?

Thanks a lot!

debootstrap inside a docker container

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

教程

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云智能顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云AI代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

功能1上新10个字符

功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符。

功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符。

功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符

功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符

功能4上新

文章&问答评论现已支持表情

全新交互，全新视觉，新增快捷键、悬浮工具栏、高亮块等功能并同时优化现有功能，全面提升创作效率和体验

社区富文本编辑器全新改版！诚邀体验～ 

精选全网热门MCP server，让你的AI更好用 🚀

💥开发者 MCP广场重磅上线！

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

聚焦“写作效率、视觉美观与运行性能”三方面进行全面升级，为您提供更高效、稳定的创作环境

社区富文本&Markdown编辑器全新改版上线，欢迎大家体验!

诚挚邀请您参与本次调研，分享您的真实使用感受与建议。您的反馈至关重要，感谢您的支持与参与！

社区新版编辑器体验调研

这就是我的问题:我想在一个docker容器中构建一个chroot环境。问题是debootstrap不能运行，因为它不能在chroot中挂载proc：W: Failure trying to run: chroot /var/chroot mount -t proc proc /proc(在日志中，问题是：mount: permission denied)如果我run --privileged容器，

问在docker容器中进行debootstrap
EN

回答 8

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问在docker容器中进行debootstrapEN

回答 8

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问在docker容器中进行debootstrap
EN