git 将 Docker 镜像中的用户切换为非 root 用户
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24549746/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Switching users inside Docker image to a non-root user
提问by Jan Vladimir Mostert
I'm trying to switch user to the tomcat7 user in order to setup SSH certificates.
我正在尝试将用户切换到 tomcat7 用户以设置 SSH 证书。
When I do su tomcat7, nothing happens.
当我这样做时su tomcat7,什么也没有发生。
whoamistill ruturns root after doing su tomcat7
whoami做完后还是生根发芽 su tomcat7
Doing a more /etc/passwd, I get the following result which clearly shows that a tomcat7 user exists:
执行 a more /etc/passwd,我得到以下结果,清楚地表明存在 tomcat7 用户:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
messagebus:x:101:104::/var/run/dbus:/bin/false
colord:x:102:105:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:103:106::/home/saned:/bin/false
tomcat7:x:104:107::/usr/share/tomcat7:/bin/false
What I'm trying to work around is this error in Hudson:
我试图解决的是 Hudson 中的这个错误:
Command "git fetch -t git@________.co.za:_______/_____________.git +refs/heads/*:refs/remotes/origin/*" returned status code 128: Host key verification failed.
This is my Dockerfile, it takes an existing hudson war file and config that is tarred and builds an image, hudson runs fine, it just can't access git due to certificates not existing for user tomcat7.
这是我的 Dockerfile,它需要一个现有的 hudson War文件和配置,该文件被压缩并构建一个映像,hudson 运行良好,但由于用户 tomcat7 的证书不存在,它无法访问 git。
FROM debian:wheezy
# install java on image
RUN apt-get update
RUN apt-get install -y openjdk-7-jdk tomcat7
# install hudson on image
RUN rm -rf /var/lib/tomcat7/webapps/*
ADD ./ROOT.tar.gz /var/lib/tomcat7/webapps/
# copy hudson config over to image
RUN mkdir /usr/share/tomcat7/.hudson
ADD ./dothudson.tar.gz /usr/share/tomcat7/
RUN chown -R tomcat7:tomcat7 /usr/share/tomcat7/
# add ssh certificates
RUN mkdir /root/.ssh
ADD ssh.tar.gz /root/
# install some dependencies
RUN apt-get update
RUN apt-get install --y maven
RUN apt-get install --y git
RUN apt-get install --y subversion
# background script
ADD run.sh /root/run.sh
RUN chmod +x /root/run.sh
# expose port 8080
EXPOSE 8080
CMD ["/root/run.sh"]
I'm using the latest version of Docker (Docker version 1.0.0, build 63fe64c/1.0.0), is this a bug in Docker or am I missing something in my Dockerfile?
我正在使用最新版本的 Docker(Docker 版本 1.0.0,构建 63fe64c/1.0.0),这是 Docker 中的错误还是我的 Dockerfile 中缺少某些内容?
回答by Marcus Hughes
You should not use suin a dockerfile, however you should use the USERinstruction in the Dockerfile.
你不应该su在dockerfile 中使用,但是你应该使用USERDockerfile 中的指令。
At each stage of the Dockerfilebuild, a new container is created so any change you make to the user will not persist on the next build stage.
在Dockerfile构建的每个阶段,都会创建一个新容器,因此您对用户所做的任何更改都不会保留在下一个构建阶段。
For example:
例如:
RUN whoami
RUN su test
RUN whoami
This would never say the user would be testas a new container is spawned on the 2nd whoami. The output would be root on both (unless of course you run USER beforehand).
这永远不会说用户会test在第二个 whoami 上产生一个新容器。两者的输出都是 root(当然,除非您事先运行 USER)。
If however you do:
但是,如果您这样做:
RUN whoami
USER test
RUN whoami
You should see rootthen test.
您应该看到root那么test。
Alternatively you can run a command as a different user with sudo with something like
或者,您可以使用 sudo 以其他用户身份运行命令,例如
sudo -u test whoami
But it seems better to use the official supported instruction.
但是使用官方支持的指令似乎更好。
回答by That Brazilian Guy
As a different approach to the other answer, instead of indicating the user upon image creation on the Dockerfile, you can do so via command-line on a particular container as a per-command basis.
作为另一个答案的不同方法,您可以通过特定容器上的命令行作为每个命令的基础,而不是在 Dockerfile 上创建图像时指示用户。
With docker exec, use --userto specify which user account the interactive terminal will use (the container should be running and the user has to exist in the containerized system):
使用docker exec,用于--user指定交互式终端将使用哪个用户帐户(容器应该正在运行并且用户必须存在于容器化系统中):
docker exec -it --user [username] [container] bash
See https://docs.docker.com/engine/reference/commandline/exec/
回答by vinay mavi
回答by wordsforthewise
You should also be able to do:
您还应该能够:
apt install sudo
apt install sudo
sudo -i -u tomcat
sudo -i -u tomcat
Then you should be the tomcat user. It's not clear which Linux distribution you're using, but this works with Ubuntu 18.04 LTS, for example.
那么你应该是 tomcat 用户。目前尚不清楚您使用的是哪个 Linux 发行版,但这适用于 Ubuntu 18.04 LTS,例如。
回答by John Moser
There's no real way to do this. As a result, things like mysqld_safe fail, and you can't install mysql-server in a Debian docker container without jumping through 40 hoops because.. well... it aborts if it's not root.
没有真正的方法可以做到这一点。结果,诸如 mysqld_safe 之类的事情失败了,并且您无法在 Debian docker 容器中安装 mysql-server 而不跳过 40 圈,因为……好吧……如果它不是 root,它就会中止。
You can use USER, but you won't be able to apt-get install if you're not root.
您可以使用 USER,但如果您不是 root,您将无法 apt-get install。
