如何以非root用户身份在Docker容器中启动crond? [英] How to start crond as non-root user in a Docker Container?
问题描述
我正在使用下面的 Dockerfile 和 entrypoint.sh 。我需要以非root用户身份启动容器中的 crond 服务,但得到权限被拒绝。如何以非root用户身份启动 crond 服务?
I am using the below Dockerfile and entrypoint.sh. I need to start the crond service in the container as a non-root user but I get Permission denied. How do I start the crond service as a non-root user?
我需要拥有
I need have USER in Dockerfile as it is a mandatory admin setting in my Openshift 3 Platform.
Dockerfile
FROM centos:centos7.4.1708
RUN yum update -y && yum install -y cronie && rm -rf /var/lib/apt/lists/*
RUN cd / && mkdir /code
ADD entrypoint.sh /code/
RUN chmod -R 755 /code/entrypoint.sh
ENTRYPOINT ["/code/entrypoint.sh"]
RUN useradd -l -u 1001510000 -c "1001510000" 1001510000
USER 1001510000
CMD ["top"]
entrypoint.sh
#!/bin/bash
echo "in the entrypoint!"
echo "executing id"
id
echo "executing crond start"
crond start
echo "executing $@"
$@
错误输出
in the entrypoint!
executing id
uid=1001510000(1001510000) gid=1000(1001510000) groups=1000(1001510000)
executing crond start
crond: can't open or create /var/run/crond.pid: Permission denied
executing top
推荐答案
首先, crond 必须代表其他用户调用命令。怎么不由 root 运行?即使您将以某种方式与该用户一起运行此恶魔进程,也很有可能会缺少其他权限才能运行某些命令。
First of all crond has to invoke commands on behalf of other users. How could it do that without being run by root? Even if somehow you will run this demon process with this user there is a high probability that it will lack other permissions in order to run certain commands.
但是我猜猜您可以尝试,这也许会有所帮助:
您的用户根本没有错误日志所述的权限。如果要尝试以非root用户身份运行,请创建组,例如说 crond-users 并更改 / var / run /crond.pid 组从 root 到 crond-users 。最后但并非最不重要的一点是,将您的用户添加到 crond-users 组。
像这样:
Your user simply doesn't have permissions as error log says. If you want to try run as non-root user create group lets say crond-users and change /var/run/crond.pid group from root to crond-users. Last but not least add your user to crond-users group.
Like so:
RUN groupadd crond-users && \
chgrp crond-users /var/run/crond.pid && \
usermod -a -G crond-users 1001510000
命中1
此外,docker默认入口点是 / bin / bash -c ,但没有默认命令。因此您的Dockerfile可能如下所示:
Moreover, docker default entrypoint is /bin/bash -c but does not have a default command. So your Dockerfile could look like this:
FROM centos:centos7.4.1708
RUN yum update -y && yum install -y cronie && rm -rf /var/lib/apt/lists/* && \
cd / && mkdir /code && \
chmod -R 755 /code/entrypoint.sh && \
useradd -l -u 1001510000 -c "1001510000" 1001510000 && \
addgroup crond-users && \
chgrp crond-users /var/run/crond.pid && \
usermod -a -G crond-users 1001510000
ADD entrypoint.sh /code/
USER 1001510000
CMD ["/code/entrypoint.sh", "top"]
提示2。
尝试避免多次使用相同的Dockerfile指令(如果您使用的是4倍RUN)。每个指令在以后的构建映像中都是一个单独的层。这是众所周知的 Dockerfile最佳做法。
Try avoiding using multiple times the same Dockerfile instruction (In your case you had 4x RUN). Each instruction is a separate layer in later build image. This is known Dockerfile best practice.
最小化层数在较早版本的Docker中,将图像中的层数最小化为
至关重要,这是
的重要保证他们表现出色。在
中添加了以下功能以减少此限制:
Minimize the number of layers In older versions of Docker, it was important that you minimized the number of layers in your images to ensure they were performant. The following features were added to reduce this limitation:
在Docker 1.10及更高版本中,只有RUN,COPY,ADD指令创建
层。其他说明创建临时的中间映像,并且
不会直接增加构建的大小。
In Docker 1.10 and higher, only the instructions RUN, COPY, ADD create layers. Other instructions create temporary intermediate images, and do not directly increase the size of the build.
这篇关于如何以非root用户身份在Docker容器中启动crond?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
