Docker-由于缺少根访问权限,父映像执行失败 [英] Docker - parent image execution fails due to missing root access
问题描述
我正在使用的父映像似乎需要root访问权限才能运行其 ENTRYPOINT 指令。
在我的 Dockerfile 中,我需要在最后以普通用户运行自己的容器(可执行)。如何在此处的用户之间来回切换?
Psuedo Dockerfile:
FROM parentrepo / parentimg#它的Dockerfile末尾可能有ENTRYPOINT,这需要root访问权限
#我的应用程序特定说明
WORKDIR ..
RUN mkdir ..
COPY。 。
RUN tar ..
EXPOSE 9000
用户nir#在这里,我想将用户切换为nir
WORKDIR $ {myhome}
CMD [ / bin / bash , -c, ./start]
由于父级需要sudo访问,因此无法在上面运行。如果我不执行 USER nir ,则我的进程将以我不需要的root用户身份启动。父Dockerfile是否需要在这里具有 USER根用户 c ??
此外,是否有任何文档描述了docker Build 高层执行指令? 。它如何与父Dockerfile的层次结构交互。看起来它从父docker文件中导入了指令;创建一个docker文件。
在运行时会发生什么,通过 docker run 执行?我知道在构建时会使用 RUN 命令,而 CMD 和 ENTRYPOINT 在运行时执行,但是它仍然不能解释整个图片和生成的序列,否则就很清楚我需要做什么。
您应该在该图像内创建一个用户 nir 并给出适当的所有权和权利来执行该 ./ start 脚本。
这是我尝试过的并且有效的方法。 / p>
- 创建具有以下内容的
Dockerfile
FROM高山
WORKDIR /
#RUN useradd -ms / bin / bash nir< =(这将(非高山图片适用)
RUN addgroup -S appgroup&& adduser -S nir -G appgroup
COPY。 /
RUN chown nir:appgroup /start.sh
RUN chmod + x /start.sh
USER nir
CMD [ / bin / sh, -c, /start.sh]
-
start.sh 脚本。
#!/ bin / sh
echo hello> /tmp/abc.txt
sleep 100
exec $ @
- 构建并运行容器。
$ docker run -itd t:t。
$ docker run -itd t:t
$ docker exec -it de11dbffb2ca sh
/ $ ls /tmp/abc.txt
/tmp/abc.txt
/ $ cat /tmp/abc.txt
hello
/ $ ls -ltrh / tmp /
total 4K
-rw-r--r-- 1 nir appgroup 6 Jun 21 04:35 abc.txt
/ $
您可以看到脚本 start.sh 已由用户 nir 成功执行。在这里,我们只是使用 adduser 为基于高山的图像创建了适当的用户(或为非高山图像使用了useradd)。使用 chown 和 chmod 给予脚本适当的权限。
希望这会有所帮助,让我知道。
The parent image I am using seems to require root access to run its ENTRYPOINT instruction.
In my Dockerfile I need to run my own container (executable) with normal user at the end. How do I switch back and forth between users here?
Psuedo Dockerfile:
FROM parentrepo/parentimg # its Dockerfile probably has ENTRYPOINT at the end which requires root access
#my app specific instructions
WORKDIR ..
RUN mkdir ..
COPY ..
RUN tar ..
EXPOSE 9000
USER nir # HEre i want to switch user to nir
WORKDIR ${myhome}
CMD ["/bin/bash", "-c", "./start"]
Running above fails as parent requires sudo access. if I don't do USER nir then my process starts as root user which i don't want. Does the parent Dockerfile need to have USER root here ?
Also, Is there any document that describe how docker Build execute instructions at high level? . How it interacts with hierarchies of parent Dockerfiles. Looks like it imports instructions from parent docker files; creates one docker file. Does it reorder instruction in anyway?
ANd what happens at runtime which executing via docker run ? I know RUN command is used at build time while CMD and ENTRYPOINT executed at runtime but it still doesn't explain whole picture and sequences from build otherwise it would have been clear what I need to do.
You should create a user nir inside that image and also give appropriate ownership and rights to execute that ./start script.
Here is what I tried and it worked.
- Created a
Dockerfilewith following contents
FROM alpine
WORKDIR /
#RUN useradd -ms /bin/bash nir <= (This will work for non-alpine images)
RUN addgroup -S appgroup && adduser -S nir -G appgroup
COPY . /
RUN chown nir:appgroup /start.sh
RUN chmod +x /start.sh
USER nir
CMD ["/bin/sh", "-c", "/start.sh"]
- Contents of
start.shscript.
#!/bin/sh
echo "hello" > /tmp/abc.txt
sleep 100
exec "$@"
- Build and run the container.
$ docker run -itd t:t .
$ docker run -itd t:t
$ docker exec -it de11dbffb2ca sh
/ $ ls /tmp/abc.txt
/tmp/abc.txt
/ $ cat /tmp/abc.txt
hello
/ $ ls -ltrh /tmp/
total 4K
-rw-r--r-- 1 nir appgroup 6 Jun 21 04:35 abc.txt
/ $
As you can see the script start.sh is successfully executed by user nir. Here we just created appropriate user using adduser for alpine based image (or use useradd for non-alpine images). Given appropriate permission to the script using chown and chmod.
Hope this helps, let me know.
这篇关于Docker-由于缺少根访问权限,父映像执行失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
