“./launcher rebuild app”在全新安装时出现权限错误

我执行了：

git clone https://github.com/discourse/discourse_docker.git /var/discourse
cd /var/discourse
chmod 700 containers

然后我将旧的 app.yml 复制到 containers 并尝试重建应用程序：

[root@two discourse]# ./launcher rebuild app
x86_64 arch detected.
Ensuring launcher is up to date
Launcher is up-to-date
Stopping old container
+ /usr/bin/docker stop -t 600 app
app
2.0.20250722-0020: Pulling from discourse/base
Digest: sha256:3b975c30ef85e9742e2d7f6093450867e67dae204c93d22cc38d043dcbf530b3
Status: Image is up to date for discourse/base:2.0.20250722-0020
docker.io/discourse/base:2.0.20250722-0020
/usr/local/lib/ruby/gems/3.3.0/gems/pups-1.3.0/lib/pups.rb
/usr/local/bin/pups --stdin
I, [2025-09-12T19:05:09.283821 #1]  INFO -- : Reading from stdin
I, [2025-09-12T19:05:09.296585 #1]  INFO -- : File > /etc/service/postgres/run  chmod: +x  chown: 
I, [2025-09-12T19:05:09.301579 #1]  INFO -- : File > /etc/service/postgres/log/run  chmod: +x  chown: 
I, [2025-09-12T19:05:09.307391 #1]  INFO -- : File > /etc/runit/3.d/99-postgres  chmod: +x  chown: 
I, [2025-09-12T19:05:09.313597 #1]  INFO -- : File > /root/install_postgres  chmod: +x  chown: 
I, [2025-09-12T19:05:09.319914 #1]  INFO -- : File > /root/upgrade_postgres  chmod: +x  chown: 
I, [2025-09-12T19:05:09.320255 #1]  INFO -- : Replacing data_directory = '/var/lib/postgresql/15/main' with data_directory = '/shared/postgres_data' in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.323526 #1]  INFO -- : Replacing (?-mix:#?listen_addresses *=.*) with listen_addresses = '*' in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.324153 #1]  INFO -- : Replacing (?-mix:#?synchronous_commit *=.*) with synchronous_commit = $db_synchronous_commit in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.324577 #1]  INFO -- : Replacing (?-mix:#?shared_buffers *=.*) with shared_buffers = $db_shared_buffers in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.324945 #1]  INFO -- : Replacing (?-mix:#?work_mem *=.*) with work_mem = $db_work_mem in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.325369 #1]  INFO -- : Replacing (?-mix:#?default_text_search_config *=.*) with default_text_search_config = '$db_default_text_search_config' in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.325759 #1]  INFO -- : Replacing (?-mix:#?checkpoint_segments *=.*) with checkpoint_segments = $db_checkpoint_segments in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.329467 #1]  INFO -- : Replacing (?-mix:#?logging_collector *=.*) with logging_collector = $db_logging_collector in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.330304 #1]  INFO -- : Replacing (?-mix:#?log_min_duration_statement *=.*) with log_min_duration_statement = $db_log_min_duration_statement in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.330761 #1]  INFO -- : Replacing (?-mix:^#local +replication +postgres +peer$) with local replication postgres  peer in /etc/postgresql/15/main/pg_hba.conf
I, [2025-09-12T19:05:09.331823 #1]  INFO -- : Replacing (?-mix:^host.*all.*all.*127.*$) with host all all 0.0.0.0/0 md5 in /etc/postgresql/15/main/pg_hba.conf
I, [2025-09-12T19:05:09.332230 #1]  INFO -- : Replacing (?-mix:^host.*all.*all.*::1\\/128.*$) with host all all ::/0 md5 in /etc/postgresql/15/main/pg_hba.conf
I, [2025-09-12T19:05:09.332621 #1]  INFO -- : > if [ -f /root/install_postgres ]; then
  /root/install_postgres && rm -f /root/install_postgres
elif [ -e /shared/postgres_run/.s.PGSQL.5432 ]; then
  socat /dev/null UNIX-CONNECT:/shared/postgres_run/.s.PGSQL.5432 || exit 0 && echo postgres already running stop container ; exit 1
fi

mkdir: cannot create directory ‘/shared/postgres_run’: Permission denied
chown: cannot access '/shared/postgres_run': No such file or directory
chmod: cannot access '/shared/postgres_run': No such file or directory
mkdir: cannot create directory ‘/shared/postgres_run’: Permission denied
chown: cannot access '/shared/postgres_run/15-main.pg_stat_tmp': No such file or directory
install: cannot change owner and permissions of '/shared/postgres_data': No such file or directory
initdb: error: could not create directory "/shared/postgres_data": Permission denied
find: ‘/shared/postgres_data’: No such file or directory
chown: cannot dereference '/var/run/postgresql': No such file or directory
cat: /shared/postgres_data/PG_VERSION: No such file or directory
du: cannot access '/shared/postgres_data': No such file or directory
/root/upgrade_postgres: line 7: * 2: syntax error: operand expected (error token is "* 2")
I, [2025-09-12T19:05:12.122891 #1]  INFO -- : Generating locales (this might take a while)...
  en_US.UTF-8... done
Generation complete.
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

creating directory /shared/postgres_data ... Upgrading PostgreSQL from version to 15


FAILED
--------------------
Pups::ExecError: if [ -f /root/install_postgres ]; then
  /root/install_postgres && rm -f /root/install_postgres
elif [ -e /shared/postgres_run/.s.PGSQL.5432 ]; then
  socat /dev/null UNIX-CONNECT:/shared/postgres_run/.s.PGSQL.5432 || exit 0 && echo postgres already running stop container ; exit 1
fi
 failed with return #<Process::Status: pid 18 exit 1>
Location of failure: /usr/local/lib/ruby/gems/3.3.0/gems/pups-1.3.0/lib/pups/exec_command.rb:131:in `spawn'
exec failed with the params {"tag"=>"db", "cmd"=>"if [ -f /root/install_postgres ]; then\n  /root/install_postgres && rm -f /root/install_postgres\nelif [ -e /shared/postgres_run/.s.PGSQL.5432 ]; then\n  socat /dev/null UNIX-CONNECT:/shared/postgres_run/.s.PGSQL.5432 || exit 0 && echo postgres already running stop container ; exit 1\nfi\n"}
bootstrap failed with exit code 1
** FAILED TO BOOTSTRAP ** please scroll up and look for earlier error messages, there may be more than one.
./discourse-doctor may help diagnose the problem.
c9c7badf83b119a15b40255ae48a05182f72663cc870ca85e867c1f9a218bb83

显然，在容器启动之初就存在权限问题：

mkdir: cannot create directory ‘/shared/postgres_run’: Permission denied

这可能是什么原因造成的？

看来我需要使用 --privileged 标志运行 docker，因为这可以解决问题：

./launcher rebuild app --docker-args '--privileged'

我不清楚为什么会这样。（这是在 Fedora 42 上。）我很想了解这里发生了什么。

因为在 Discourse 中，这些文件归 root (或者父目录是?) 所有。

也许 Ubuntu 默认设置了。 我不知道 Ubuntu 有什么不同。

你可以尝试将 /var/discourse/shared 设置为全局可写，看看是否有效？或者看看在没有 ``–privileged` 的情况下是否有效？

Ubuntu 是推荐的，而 Debian 在容器内部 (现在 CDCK 可能也使用它作为主机操作系统？)。Fedora 有很多 Ubuntu 没有的锁定设置。如果你想了解，你很可能需要自己摸索，尽管我记得这里至少有一个人经常喜欢 Fedora CentOS (它比 Ubuntu 更接近 Fedora！)。这可能有一些线索： MKJ's Opinionated Discourse Deployment Configuration

我想知道在 bootstrap 脚本试图在 /var/discourse/shared 中创建子目录时，有效的 uid 是什么？我原以为会是 root，因为 docker 是以 root 身份运行的，但显然不是？

遗憾的是，我没有看到任何关于使用 --privileged 的内容，尽管我也有同样的想法，希望用 podman 而不是 docker 来完成这一切。

是的，我还没有尝试过在 Fedora 上运行生产环境的 Discourse，只在 Fedora 上进行过 Discourse 开发，而且不是在 42 版本上。我的 Discourse 服务器现在运行在 AlmaLinux 9 上，在那里我不需要 --privileged。我的任何 Fedora 系统上都没有安装 Docker。

我想在我有时间的时候，尝试确定那些目录的所有者是谁，而不使用 --privileged。

查看 --privileged，我发现它会禁用 SELinux 进程标签。

我不会禁用我的 Discourse 服务器上的 SELinux，事实上，我的指南中有关于如何在保持 SELinux 启用状态的同时使用外部 nginx 的说明。您也可以查看您的 avc 日志以获取相关的拒绝信息，并使用 audit2allow 编写本地策略。但这可能是一个漫长而反复的过程。我会从头开始（清除 /var/discourse）来确保这是一个有效的测试，并查看在禁用 SELinux（例如 setenforce 0）的情况下是否仍然需要 --permissive。然后，如果这有效，您可以使用 audit2allow，因为 setenforce 0 仍然会写入 avc 条目，但不再在第一道门就被阻止，因此您将更快地获得一个有效的策略。

如果可能的话，我认为我不会在生产系统上继续使用 --privileged。