通过uidmap使用容器化的ctr运行容器以映射到主机上的非root用户 [英] run container with containerd's ctr by means of uidmap to map to non-root user on the host

问题描述

为了更好地理解如何将-uidmap 与 ctr 一起使用，我通过以下步骤创建了一个测试容器. containerd 版本是 1.4.3 .

To better understand how to use the --uidmap with ctr, I've created a test container by means of the following steps. The containerd version is 1.4.3.

1. 构建Dockerfile

1. Build Dockerfile

$ cat Dockerfile
FROM alpine
ENTRYPOINT ["/bin/sh"]

和

$ docker build -t test .
Sending build context to Docker daemon  143.1MB
Step 1/2 : FROM alpine                         
 ---> d6e46aa2470d                             
Step 2/2 : ENTRYPOINT ["/bin/sh"]              
 ---> Running in 560b09f9b287                  
Removing intermediate container 560b09f9b287   
 ---> 8506bfeab109                             
Successfully built 8506bfeab109                
Successfully tagged test:latest                

将图像另存为tar球

Save the image as tar ball

$ docker save test > test.tar

使用容器的 ctr 导入

$ sudo ctr i import test.tar
unpacking docker.io/library/test:latest (sha256:9f7dabf0e4feadbca9bdc180422a3f2cdd7b545445180a3c23de8129dc95f29b)...done

创建并运行容器

Create and run the container

$ sudo ctr run --uidmap 0:5000:4999 docker.io/library/test:latest test

uid映射应将容器内部uid 0(根)映射到5000，对应于ctr的联机帮助页:

The uid map should map the container internal uid of 0 (root) to 5000 corresponding to ctr's manpage:

-uidmap =":在具有指定UID映射范围的用户名称空间内运行；指定的格式为container-uid:host-uid:length

--uidmap="": run inside a user namespace with the specified UID mapping range; specified with the format container-uid:host-uid:length

检查容器和主机上的UID:

在容器中:

ps -eo ruser,rgroup,comm 
RUSER    RGROUP   COMMAND
root     root     sh     
root     root     ps     

在主机上:

$ ps -eo uid,gid,cmd | grep /bin/sh
  126   128 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/unity-greeter
    0     0 /bin/sh

问题

这似乎不起作用，/bin/sh 在容器内以及主机上都以root(uid = 0)的身份运行.

Issue

It seems to not work, /bin/sh runs as root (uid=0) within the container as well as on the host.

推荐答案

我一直搜索了一段时间，直到我检查了容器的代码并在 cmd/ctr/commands/run/run_unix.go 中找到了它.:

I was searching for a while until I checked containerd's code and found this within cmd/ctr/commands/run/run_unix.go:

149       if uidmap, gidmap := context.String("uidmap"), context.String("gidmap"); uidmap != "" && gidmap != "" {
150         uidMap, err := parseIDMapping(uidmap)
151         if err != nil {
152           return nil, err
153         }
154         gidMap, err := parseIDMapping(gidmap)
155         if err != nil {
156           return nil, err
157         }

基本上意味着:您必须同时提供 uidmap 和 gidmap ，否则将无法正常工作.

which basically means: You have to provide both, the uidmap AND the gidmap, otherwise it won't work.

再次运行上述容器

$ sudo ctr run --uidmap 0:5000:4999 --gidmap 0:5000:4999 docker.io/library/test:latest test

成功了！

在容器中:

ps -eo ruser,rgroup,comm  
RUSER    RGROUP   COMMAND 
root     root     sh      
root     root     ps      

在主机上:

$ ps -eo uid,gid,cmd | grep /bin/sh
  126   128 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/unity-greeter
 5000  5000 /bin/sh

这篇关于通过uidmap使用容器化的ctr运行容器以映射到主机上的非root用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！