让非root用户写入Docker中的linux主机 [英] Let non-root user write to linux host in Docker
问题描述
我有一个创建的OpenSuse 42.3 docker容器映像,该映像具有一个用户,我们将其称为"streamuser".我希望这是一个只要有人从我的图像创建容器的活动用户.我已经将主机的主目录挂载到streamuser的主目录.我遇到的麻烦是,如果我在Linux主机上运行Docker容器,streamuser无法将任何内容写入主机目录.这是因为streamuser不共享与主机相同的UID和GID.有没有一种解决此问题的干净方法,可以避免我将映像中的默认用户帐户设置为根帐户?如果我以root用户身份登录到容器,则可以写入linux主机,但这是不可取的.
I have an OpenSuse 42.3 docker container image that I created which has a single user, which we will call 'streamuser'. I would like this to be the user that is active whenever anyone creates a container from my image. I have mounted the host's home directory to the home directory of streamuser. The trouble that I'm having is that if I run the Docker container on a Linux host, streamusercan not write anything to the host directories. This is because streamuser does not share the same UID and GID as the host. Is there a clean way to resolve this issue that avoids me setting the default user account in the image to the root account? If I login as root in the container, then I can write to the linux host, but this is undesirable.
我的docker呼叫是:
My docker call is:
docker run -it -d --name ${containerName} --user="streamuser" \
--workdir="/home/streamuser" --volume="${home}:/home/streamuser" \
${imageName} /bin/bash -rcfile /opt/Codebase/image_env_setup_v206.sh
我看到了一个解决方案,其中有人使用--volume选项将主机passwd,sudoers等文件传递到了容器中.我不喜欢此选项,因为它会覆盖我在容器中制作的环境,而且看起来像是ham手solution脚的解决方案.
I have seen a solution where someone used the --volume option as passed the host passwd, sudoers, etc files up to the container. I don't like this option because it overwrites my crafted environment within the container, and it seems like a ham-fisted solution.
我的dockerfile是:
My dockerfile is:
FROM opensuse:42.3
RUN zypper update -y && \
zypper install -y \
sudo \
vim \
gcc-fortran \
infinipath-psm-devel \
openmpi \
openmpi-devel \
openmpi-libs \
hdf5-openmpi \
blas-devel \
blas-devel-static \
lapack-devel \
which
RUN echo "root:streamuser_2017" | chpasswd
RUN useradd -m streamuser
RUN passwd -d streamuser
CMD /bin/bash
RUN mkdir -p -m0755 \
/opt/codeA/lib \
/opt/codeA/bin \
/opt/codeB/lib \
/opt/codeC/lib \
/opt/codeC/bin \
/opt/petsc/lib
USER streamuser
WORKDIR /home/streamuser
RUN source $HOME/.bashrc
COPY ./Docker/critical_dependencies/codeA_lib/* /opt/codeA/lib/
COPY ./Docker/critical_dependencies/codeA_bin/* /opt/codeA/bin/
COPY ./Docker/critical_dependencies/codeB_lib/* /opt/codeB/lib/
COPY ./Docker/critical_dependencies/petsc_lib/* /opt/petsc/lib/
COPY ./lib/* /opt/codeC/lib/
COPY ./bin/* /opt/codeC/bin/
COPY ./Docker/image_env_setup_v206.sh /opt/codeC
RUN source /opt/codeC/image_env_setup_v206.sh
推荐答案
您可以添加 fixuid (由 Caleb Lloyd )在您的Dockerfile映像中.
参见 moby/moby
问题7198 :
You could add fixuid (by Caleb Lloyd) in your Dockerfile image.
See moby/moby
issue 7198:
我们为此问题创建了一种解决方法,将在构建时设置的Docker容器的用户/组和文件权限更改为在运行时启动该容器的UID/GID.
We have created a workaround for this issue that changes a Docker container's user/group and file permissions that were set at build time to the UID/GID that the container was started with at runtime.
项目和安装说明位于: https://github.com/boxboat/fixuid
The project and install instructions are at: https://github.com/boxboat/fixuid
示例:
- 使用用户/组
dockeruser:dockergroup
作为UID/GID1000:1000
构建Docker容器. - 主机以UID/GID
1001:1002
的身份运行. - 图像使用
docker run -u 1001:1002
运行.
- Docker container was built using user/group
dockeruser:dockergroup
as UID/GID1000:1000
. - Host is running as UID/GID
1001:1002
. - Image is run with
docker run -u 1001:1002
.
fixuid
将:
- 将dockeruser UID更改为
1001
- 将dockergroup GID更改为
1002
- 将旧版
dockeruser:dockergroup
的所有文件权限更改为1001:1002
- 将容器内的
$HOME
更新为dockeruser$HOME
- 现在容器和主机UID/GID匹配,并且在主机挂载上在容器中创建的文件将匹配.
- change dockeruser UID to
1001
- change dockergroup GID to
1002
- change all file permissions for old
dockeruser:dockergroup
to1001:1002
- update
$HOME
inside container to dockeruser$HOME
- now container and host UID/GID match and files created in the container on host mounts will match.
它可以作为ENTRYPOINT
或作为启动脚本的一部分运行.它以setuid
位的形式由root
拥有的二进制文件安装在容器中,并升级特权以进行适当的更改.它只能在开发容器中使用.
It can run as the ENTRYPOINT
or as part of a startup script. It is installed in the container as a binary owned by root
with the setuid
bit, and escalates privileges to make the appropriate changes. It should only be used in development containers.
这篇关于让非root用户写入Docker中的linux主机的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!