将Docker映像中的用户切换到非root用户 [英] Switching users inside Docker image to a non-root user
问题描述
我正在尝试将用户切换到tomcat7用户,以便设置SSH证书。
I'm trying to switch user to the tomcat7 user in order to setup SSH certificates.
当我执行 su tomcat7 ,没有任何反应。
When I do su tomcat7, nothing happens.
whoami 在执行 su tomcat7
执行更多/ etc / passwd ,我得到以下结果清楚显示一个tomcat7用户存在:
Doing a more /etc/passwd, I get the following result which clearly shows that a tomcat7 user exists:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
messagebus:x:101:104::/var/run/dbus:/bin/false
colord:x:102:105:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:103:106::/home/saned:/bin/false
tomcat7:x:104:107::/usr/share/tomcat7:/bin/false
要解决这个错误在哈德森:
What I'm trying to work around is this error in Hudson:
Command "git fetch -t git@________.co.za:_______/_____________.git +refs/heads/*:refs/remotes/origin/*" returned status code 128: Host key verification failed.
这是我的Dockerfile,它需要一个现有的hudson war文件和配置,并且构建一个映像,hudson运行正常,由于不存在用户tomcat7的证书,它无法访问git。
This is my Dockerfile, it takes an existing hudson war file and config that is tarred and builds an image, hudson runs fine, it just can't access git due to certificates not existing for user tomcat7.
FROM debian:wheezy
# install java on image
RUN apt-get update
RUN apt-get install -y openjdk-7-jdk tomcat7
# install hudson on image
RUN rm -rf /var/lib/tomcat7/webapps/*
ADD ./ROOT.tar.gz /var/lib/tomcat7/webapps/
# copy hudson config over to image
RUN mkdir /usr/share/tomcat7/.hudson
ADD ./dothudson.tar.gz /usr/share/tomcat7/
RUN chown -R tomcat7:tomcat7 /usr/share/tomcat7/
# add ssh certificates
RUN mkdir /root/.ssh
ADD ssh.tar.gz /root/
# install some dependencies
RUN apt-get update
RUN apt-get install --y maven
RUN apt-get install --y git
RUN apt-get install --y subversion
# background script
ADD run.sh /root/run.sh
RUN chmod +x /root/run.sh
# expose port 8080
EXPOSE 8080
CMD ["/root/run.sh"]
m使用最新版本的Docker(Docker版本1.0.0,build 63fe64c / 1.0.0),这是Docker中的一个错误,或者我在Dockerfile中缺少某些东西?
I'm using the latest version of Docker (Docker version 1.0.0, build 63fe64c/1.0.0), is this a bug in Docker or am I missing something in my Dockerfile?
推荐答案
您不应该在docker文件中使用 su ,但是您应该使用 USER 在Docker文件中的指令。
You should not use su in a dockerfile, however you should use the USER instruction in the Dockerfile.
在Dockerfile构建的每个阶段,创建一个新的容器,因此您对用户所做的任何更改都不会在下一个建立阶段。
At each stage of the Dockerfile build, a new container is created so any change you make to the user will not persist on the next build stage.
例如:
RUN whoami
RUN su test
RUN whoami
这绝对不会说用户将是 test 作为一个新的容器被生成在第二个whoami。输出将两者都是root(除非你以前先运行USER)。
This would never say the user would be test as a new container is spawned on the 2nd whoami. The output would be root on both (unless of course you run USER beforehand).
如果你这样做:
RUN whoami
USER test
RUN whoami
您应该看到根然后 test 。
或者,您可以使用sudo与其他用户一起运行命令,如
Alternatively you can run a command as a different user with sudo with something like
sudo -u test whoami
但使用官方支持的指令似乎更好。
But it seems better to use the official supported instruction.
这篇关于将Docker映像中的用户切换到非root用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
