将 Docker 镜像中的用户切换为非 root 用户 [英] Switching users inside Docker image to a non-root user
问题描述
我正在尝试将用户切换到 tomcat7 用户以设置 SSH 证书.
I'm trying to switch user to the tomcat7 user in order to setup SSH certificates.
当我执行 su tomcat7 时,什么也没有发生.
When I do su tomcat7, nothing happens.
whoami 做了su tomcat7
执行more/etc/passwd,我得到以下结果,清楚地表明存在tomcat7用户:
Doing a more /etc/passwd, I get the following result which clearly shows that a tomcat7 user exists:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
messagebus:x:101:104::/var/run/dbus:/bin/false
colord:x:102:105:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:103:106::/home/saned:/bin/false
tomcat7:x:104:107::/usr/share/tomcat7:/bin/false
我正在尝试解决的是 Hudson 中的这个错误:
What I'm trying to work around is this error in Hudson:
Command "git fetch -t git@________.co.za:_______/_____________.git +refs/heads/*:refs/remotes/origin/*" returned status code 128: Host key verification failed.
这是我的 Dockerfile,它需要一个现有的 hudson 战争文件和配置,该文件被压缩并构建了一个映像,hudson 运行良好,只是由于用户 tomcat7 的证书不存在而无法访问 git.
This is my Dockerfile, it takes an existing hudson war file and config that is tarred and builds an image, hudson runs fine, it just can't access git due to certificates not existing for user tomcat7.
FROM debian:wheezy
# install java on image
RUN apt-get update
RUN apt-get install -y openjdk-7-jdk tomcat7
# install hudson on image
RUN rm -rf /var/lib/tomcat7/webapps/*
ADD ./ROOT.tar.gz /var/lib/tomcat7/webapps/
# copy hudson config over to image
RUN mkdir /usr/share/tomcat7/.hudson
ADD ./dothudson.tar.gz /usr/share/tomcat7/
RUN chown -R tomcat7:tomcat7 /usr/share/tomcat7/
# add ssh certificates
RUN mkdir /root/.ssh
ADD ssh.tar.gz /root/
# install some dependencies
RUN apt-get update
RUN apt-get install --y maven
RUN apt-get install --y git
RUN apt-get install --y subversion
# background script
ADD run.sh /root/run.sh
RUN chmod +x /root/run.sh
# expose port 8080
EXPOSE 8080
CMD ["/root/run.sh"]
我正在使用最新版本的 Docker(Docker 版本 1.0.0,构建 63fe64c/1.0.0),这是 Docker 中的错误还是我的 Dockerfile 中缺少某些内容?
I'm using the latest version of Docker (Docker version 1.0.0, build 63fe64c/1.0.0), is this a bug in Docker or am I missing something in my Dockerfile?
推荐答案
你不应该在 dockerfile,但是您应该使用 Dockerfile 中的 USER 指令.
You should not use su in a dockerfile, however you should use the USER instruction in the Dockerfile.
在 Dockerfile 构建的每个阶段,都会创建一个新容器因此,您对用户所做的任何更改都不会保留在下一个构建阶段.
At each stage of the Dockerfile build, a new container is created so any change you make to the user will not persist on the next build stage.
例如:
RUN whoami
RUN su test
RUN whoami
这永远不会说用户将是 test 因为在第二个 whoami 上产生了一个新容器.两者的输出都是 root(当然,除非您事先运行 USER).
This would never say the user would be test as a new container is spawned on the 2nd whoami. The output would be root on both (unless of course you run USER beforehand).
如果你这样做:
RUN whoami
USER test
RUN whoami
您应该看到 root 然后是 test.
You should see root then test.
或者,您可以使用 sudo 以其他用户身份运行命令,例如
Alternatively you can run a command as a different user with sudo with something like
sudo -u test whoami
但使用官方支持的指令似乎更好.
But it seems better to use the official supported instruction.
这篇关于将 Docker 镜像中的用户切换为非 root 用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
