通过uidmap使用容器化的ctr运行容器以映射到主机上的非root用户 [英] run container with containerd's ctr by means of uidmap to map to non-root user on the host
问题描述
为了更好地理解如何将-uidmap
与 ctr
一起使用,我通过以下步骤创建了一个测试容器. containerd
版本是 1.4.3
.
To better understand how to use the --uidmap
with ctr
, I've created a test container by means of the following steps. The containerd
version is 1.4.3
.
- 构建Dockerfile
- Build Dockerfile
$ cat Dockerfile
FROM alpine
ENTRYPOINT ["/bin/sh"]
和
$ docker build -t test .
Sending build context to Docker daemon 143.1MB
Step 1/2 : FROM alpine
---> d6e46aa2470d
Step 2/2 : ENTRYPOINT ["/bin/sh"]
---> Running in 560b09f9b287
Removing intermediate container 560b09f9b287
---> 8506bfeab109
Successfully built 8506bfeab109
Successfully tagged test:latest
$ docker save test > test.tar
ctr
导入
$ sudo ctr i import test.tar
unpacking docker.io/library/test:latest (sha256:9f7dabf0e4feadbca9bdc180422a3f2cdd7b545445180a3c23de8129dc95f29b)...done
$ sudo ctr run --uidmap 0:5000:4999 docker.io/library/test:latest test
uid映射应将容器内部uid 0(根)映射到5000,对应于ctr的联机帮助页:
The uid map should map the container internal uid of 0 (root) to 5000 corresponding to ctr's manpage:
-uidmap =":在具有指定UID映射范围的用户名称空间内运行;指定的格式为container-uid:host-uid:length
--uidmap="": run inside a user namespace with the specified UID mapping range; specified with the format container-uid:host-uid:length
检查容器和主机上的UID:
在容器中:
ps -eo ruser,rgroup,comm
RUSER RGROUP COMMAND
root root sh
root root ps
在主机上:
$ ps -eo uid,gid,cmd | grep /bin/sh
126 128 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/unity-greeter
0 0 /bin/sh
问题
这似乎不起作用,/bin/sh
在容器内以及主机上都以root(uid = 0)的身份运行.
Issue
It seems to not work, /bin/sh
runs as root (uid=0) within the container as well as on the host.
推荐答案
我一直搜索了一段时间,直到我检查了容器的代码并在 cmd/ctr/commands/run/run_unix.go
中找到了它.:
I was searching for a while until I checked containerd's code and found this within cmd/ctr/commands/run/run_unix.go
:
149 if uidmap, gidmap := context.String("uidmap"), context.String("gidmap"); uidmap != "" && gidmap != "" {
150 uidMap, err := parseIDMapping(uidmap)
151 if err != nil {
152 return nil, err
153 }
154 gidMap, err := parseIDMapping(gidmap)
155 if err != nil {
156 return nil, err
157 }
基本上意味着:您必须同时提供 uidmap
和 gidmap
,否则将无法正常工作.
which basically means:
You have to provide both, the uidmap
AND the gidmap
, otherwise it won't work.
再次运行上述容器
$ sudo ctr run --uidmap 0:5000:4999 --gidmap 0:5000:4999 docker.io/library/test:latest test
成功了!
在容器中:
ps -eo ruser,rgroup,comm
RUSER RGROUP COMMAND
root root sh
root root ps
在主机上:
$ ps -eo uid,gid,cmd | grep /bin/sh
126 128 /bin/sh /usr/lib/lightdm/lightdm-greeter-session /usr/sbin/unity-greeter
5000 5000 /bin/sh
这篇关于通过uidmap使用容器化的ctr运行容器以映射到主机上的非root用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!