为什么fixuid拒绝更改UID / GID? [英] Why is fixuid refusing to change the UID/GID?
问题描述
我的情况类似于在此处得到回答的问题。
I have a situation similar to the question that got answered here.
在答案中,建议在docker映像中使用fixuid,以便(我引用)
In the answer, it is proposed to use fixuid in the docker image so as to (and I cite)
我们为此问题创建了一种解决方法,将在构建
时设置的Docker
容器的用户/组和文件权限更改为在运行时启动容器的UID / GID。
We have created a workaround for this issue that changes a Docker container's user/group and file permissions that were set at build time to the UID/GID that the container was started with at runtime.
项目和安装说明位于:
https://github.com/boxboat/fixuid
The project and install instructions are at: https://github.com/boxboat/fixuid
示例:
- 使用用户/组dockeruser:dockergroup作为UID / GID 1000:1000构建Docker容器。
- 主机以UID / GID 1001:1002的方式运行。
- 图像以docker run -u 1001:1002运行。 fixuid将:
- 将dockeruser UID更改为1001
- 将dockergroup GID更改为1002
- 更改所有文件权限对于旧的dockeruser:dockergroup到1001:1002
- 将容器内的$ HOME更新为dockeruser $ HOME
- 现在容器与主机UID / GID匹配和文件
- Docker container was built using user/group dockeruser:dockergroup as UID/GID 1000:1000.
- Host is running as UID/GID 1001:1002.
- Image is run with docker run -u 1001:1002. fixuid will:
- change dockeruser UID to 1001
- change dockergroup GID to 1002
- change all file permissions for old dockeruser:dockergroup to 1001:1002
- update $HOME inside container to dockeruser $HOME
- now container and host UID/GID match and files created in the container on host mounts will match.
它可以作为ENTRYPOINT或作为启动脚本的一部分运行。它是
以root身份拥有setuid
位的二进制文件形式安装在容器中,并升级特权以进行适当的更改。
应该只在开发容器中使用。
It can run as the ENTRYPOINT or as part of a startup script. It is installed in the container as a binary owned by root with the setuid bit, and escalates privileges to make the appropriate changes. It should only be used in development containers.
但是当我尝试这样做时,我得到了
However when I try to do that I got
fixuid: already ran on this system; will not attempt to change UID/GID
,因此未更改UID会引起很多问题
and therefore the UID is not changed which causes a lot of problems
推荐答案
如您在 fixuid 的源代码中所看到的, )不会两次运行此二进制文件的安全性(因为它是 setuid根目录,因此非常危险):
As you can see in the source code of fixuid, there is a (tiny) security for not running this binary twice (because it’s setuid root so it’s very dangerous):
文件 /var/run/fixuid.ran 已在运行前检查是否存在。
看起来好像有人在启动阶段运行了 fixuid 二进制文件。
Looks like someone probably run the fixuid binary during the boot-up phase. Maybe in an entrypoint (that may call another entrypoint and so on), or after the entrypoint when actually running the command.
fixuid 可能在入口点中(可能会调用另一个入口点,依此类推),也可能在入口点之后。可以在入口点或中用作命令的外壳包装。
如果您同时尝试这两种情况,则会收到该消息。
fixuid could be used in the entrypoint or as a shell wrapper for the command.
If you try to do both cases, you’ll get that message.
这篇关于为什么fixuid拒绝更改UID / GID?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
