如何使用用户名称空间配置启动容器? [英] How to launch container with user namespace configuration?

问题描述

在下面的docker文件中，基本映像(jenkins/jenkins)在容器内为用户jenkins提供了UID 1000和GID 1000.

In the below docker file, base image(jenkins/jenkins) is providing a user jenkins with UID 1000 and GID 1000, within container.

FROM jenkins/jenkins

# Install some base packages

# Use non-privileged user provided by base image
USER jenkins # with uid 1000 and GID 1000

# Copy plugins and other stuff

---

在docker主机(EC2实例)上，我们也有类似的UID& GID已创建，

---

On the docker host(EC2 instance), we also have similar UID & GID created,

 $ groupadd -g 1000 jenkins
 $ useradd -u 1000 -g jenkins jenkins
 $ mkdir -p /abc/home_folder_for_jenkins
 $ chown -R jenkins:jenkins /abc/home_folder_for_jenkins

请确保容器可以将文件写入EC2实例中的/abc/home_folder_for_jenkins.

to make sure, container can write files to /abc/home_folder_for_jenkins in EC2 instance.

在同一EC2实例中，我们需要注意的另一方面是运行容器(除了上述容器之外)以非特权模式运行.

Another aspect that we need to take care in same EC2 instance, is to run containers(other than above container) to run in non-privileged mode.

因此，在Docker主机(EC2)上执行以下配置:

So, below configuration is performed on docker host(EC2):

$ echo dockremap:165536:65536 > /etc/subuid
$ echo dockremap:165536:65536 > /etc/subgid
$ echo '{"debug":true, "userns-remap":"default"}' > /etc/docker/daemon.json

---

此dockremap配置不允许jenkins启动，并且docker容器进入Exited状态:

---

This dockremap configuration is not allowing jenkins to start and docker container goes in Exited state:

$ ls -l /abc/home_folder_for_jenkins
total 0

删除docker remap配置后，一切正常.

After removing docker remap configuration, everything work fine.

为什么dockremap配置不允许jenkins容器以jenkins用户身份运行?

Why dockremap configuration not allow the jenkins container to run as jenkins user?

推荐答案

我实际上正在与之抗争，因为它似乎不太便携，但这是我发现的最好的.如上所述，在您的Docker主机上，UID/GID是容器中的UID/GID + /etc/subuid&中的值. /etc/subgid. 因此，您的主机上的容器根目录"为165536，用户jenkins为166536(165536 + 1000).

I'm actually fighting with this because it seems not very portable but this is the best I found. As said above on your docker host the UID/GID are the ones from the container + the value in /etc/subuid & /etc/subgid. So your "container root" is 165536 on your host and your user jenkins is 166536 (165536 + 1000).

回到您的示例，您需要做的是

To come back to your example what you need to do is

$ mkdir -p /abc/home_folder_for_jenkins
$ chown -R 166536:166536 /abc/home_folder_for_jenkins

这篇关于如何使用用户名称空间配置启动容器?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！