Closed spantaleev closed 2 years ago
thanks for reopening here, the docs are indeed lagging a bit. The second issue comes from Varnish resolving the host at load-time and expecting a single IP address, this is addressed by https://github.com/nigoroll/libvmod-dynamic which is now included in the image since 7.1
. I'll hopefully be able to cover the docs very soon.
Regarding the tmpfs
issue, because the workdir changed a bit in 7.0
and because of the unprivileged approach in 7.1
, the --tmpfs
argument must now be /var/lib/varnish/varnishd:exec
:
docker run --tmpfs /var/lib/varnish/varnishd:exec varnish:7.1
I've opened https://github.com/docker-library/docs/pull/2125 to at least sort that one out
merged
As originally reported here:
Starting the container like this fails:
Looks like running the 7.1 container image (which contains
USER varnish
) with--tmpfs /var/lib/varnish:exec
(as recommended in the Docker Hub description) no longer works.[OK]
docker run --rm --entrypoint=/bin/sh docker.io/varnish:7.1.0-alpine -c 'stat /var/lib/varnish'
says0750 / varnish / varnish
-- thevarnish
user will be able to write to this[not OK]
docker run --rm --entrypoint=/bin/sh --tmpfs /var/lib/varnish:exec docker.io/varnish:7.1.0-alpine -c 'stat /var/lib/varnish'
says0750 / root / root
-- thevarnish
user will not be able to write to aroot
-owned directory with these permissions[not OK]
docker run --rm --entrypoint=/bin/sh --mount type=tmpfs,destination=/var/lib/varnish,tmpfs-mode=1777 docker.io/varnish:7.1.0-alpine -c 'stat /var/lib/varnish'
says0750 / root / root
-- same as the above - thevarnish
user will not be able to write to aroot
-owned directory with these permissions[OK]
docker run --rm --entrypoint=/bin/sh --mount type=tmpfs,destination=/var/lib/another,tmpfs-mode=1777 docker.io/varnish:7.1.0-alpine -c 'stat /var/lib/another'
says1777 / root / root
-- thevarnish
user will be able to write to this newroot
-owned/var/lib/another
directoryThe Debian-based image suffers from the same problem.
As a workaround, one might:
--tmpfs
argument and have Varnish write to the container filesystem at/var/lib/varnish
- not greattmpfs
directory (e.g.--tmpfs /var/lib/varnish2:exec
) by specifying another working directory:-n /var/lib/varnish2
- ugly, but tolerableUSER varnish
thing by using--user
(possibly--user=0:0
) - not greatApplying the 2nd proposed workaround to the original command I reported trouble with, above:
Varnish can start like that. It does choke on the VCL definition though (I've used the
www.nytimes.com
example from the Docker Hub description), but that's another problem.