以非root用户身份运行docker或以root用户身份在tomcat上运行jenkins [英] Running docker as non-root user OR running jenkins on tomcat as root user
问题描述
我正在尝试使用docker-maven插件构建docker映像,并计划使用jenkins执行mvn命令.我将jenkins.war部署在tomcat实例上,而不是作为非root用户运行的独立应用程序. 问题是docker需要以root用户身份运行,因此maven命令需要以root用户身份运行,因此jenkins/tomcat需要以root用户身份运行,这不是一个好习惯(尽管我的非root用户身份是也很sudoer,所以我想没有多大关系).
I am trying to build a docker image using docker-maven plugin, and plan to execute the mvn command using jenkins. I have jenkins.war deployed on a tomcat instance instead of a standalone app, which runs as a non-root user. The problem is that docker needs to be run as root user, so maven commands need to be run as root user, and hence jenkins/tomcat needs to run as root user which is not a good practice (although my non-root-user is also sudoer so I guess won't matter much).
因此,最重要的是,我看到了两种解决方案:以非root用户身份运行docker(并需要有关如何执行此操作的帮助) 或者 需要以root身份运行jenkins(并且不确定如何在更改环境变量/config时实现该功能,并且仍然无法切换到root身份).
So bottom line, I see two solutions : Either run docker as non-root user (and need help on how to do that) OR Need to run jenkins as root (And not sure how to achieve that as I changed environment variable /config and still its not switching to root).
关于选择哪种解决方案以及如何实施的任何建议?
Any advice on which solution to choose and how to implement it ?
推荐答案
问题在于docker需要以root用户身份运行,因此maven命令需要以root用户身份运行
The problem is that docker needs to be run as root user, so maven commands need to be run as root user,
否,可以使用 -u(
No, a docker run can be done with a -u (--user) parameter in order to use a non-root user inside the container.
以非root用户身份运行
Either run docker as non-root user
您的用户(在主机上)需要属于docker组.然后,您可以与该用户一起运行docker服务.
Your user (on the host) needs to be part of the docker group. Then you can run the docker service with that user.
如所评论,这不是很安全.
参见:
As commented, this is not very secure.
See:
最后一个链接以以下发现结尾:
That last links ends with the following findings:
- 如果容器中的进程正在执行一个已知的uid,那么它可能很简单,例如,限制对主机系统的访问,以使来自容器的uid具有有限的访问权限.
- 更好的解决方案是使用
--user启动具有已知uid的容器(您也可以使用用户名,但请记住,这只是从主机名中提供uid的一种更友好的方式系统),然后然后限制对您确定容器将以其运行的主机上的uid的访问权限.- 由于uid和用户名(以及gid和组名)如何从容器映射到主机,因此指定运行容器化进程的用户可以使该进程看起来由容器内部与外部的不同用户拥有.
- If there’s a known uid that the process inside the container is executing as, it could be as simple as restricting access to the host system so that the uid from the container has limited access.
- The better solution is to start containers with a known uid using the
--user(you can use a username also, but remember that it’s just a friendlier way of providing a uid from the host’s username system), and then limiting access to the uid on the host that you’ve decided the container will run as.- Because of how uids and usernames (and gids and group names) map from a container to the host, specifying the user that a containerized process runs as can make the process appear to be owned by different users inside vs outside the container.
关于最后一点,您现在有 用户名称空间(userns)重新映射 (自docker 1.10,但我建议您使用17.06,因为 issue 33844 ).
Regarding that last point, you now have user namespace (userns) remapping (since docker 1.10, but I would advice 17.06, because of issue 33844).
这篇关于以非root用户身份运行docker或以root用户身份在tomcat上运行jenkins的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
