如何在 Docker 容器中以非 root 用户身份启动 crond? [英] How to start crond as non-root user in a Docker Container?

问题描述

我正在使用下面的 Dockerfile 和 entrypoint.sh.我需要以非 root 用户身份在容器中启动 crond 服务，但我得到 Permission denied.如何以非 root 用户身份启动 crond 服务?

I am using the below Dockerfile and entrypoint.sh. I need to start the crond service in the container as a non-root user but I get Permission denied. How do I start the crond service as a non-root user?

我需要在 Dockerfile 中有 USER，因为它是我的 Openshift 3 平台中的强制性管理设置.

I need have USER in Dockerfile as it is a mandatory admin setting in my Openshift 3 Platform.

Dockerfile

FROM centos:centos7.4.1708
RUN yum update -y && yum install -y cronie && rm -rf /var/lib/apt/lists/*
RUN cd / && mkdir /code
ADD entrypoint.sh /code/
RUN chmod -R 755 /code/entrypoint.sh
ENTRYPOINT ["/code/entrypoint.sh"]
RUN useradd -l -u 1001510000 -c "1001510000" 1001510000
USER 1001510000
CMD ["top"]

entrypoint.sh

#!/bin/bash
echo "in the entrypoint!"
echo "executing id"
id
echo "executing crond start"
crond start
echo "executing $@"
$@

错误输出

in the entrypoint!
executing id
uid=1001510000(1001510000) gid=1000(1001510000) groups=1000(1001510000)
executing crond start
crond: can't open or create /var/run/crond.pid: Permission denied
executing top

推荐答案

首先 crond 必须代表其他用户调用命令.如果没有 root 运行，它怎么能做到这一点?即使您以某种方式与该用户一起运行这个恶魔进程，它也很可能缺乏其他权限来运行某些命令.

First of all crond has to invoke commands on behalf of other users. How could it do that without being run by root? Even if somehow you will run this demon process with this user there is a high probability that it will lack other permissions in order to run certain commands.

但我想你可以试试，也许这会有所帮助:

您的用户根本没有如错误日志所说的权限.如果您想尝试以非 root 用户身份运行，请创建组让我们说 crond-users 并更改 /var/run/crond.pid 组从 root 到 crond-users.最后但并非最不重要的一点是将您的用户添加到 crond-users 组.像这样:

Your user simply doesn't have permissions as error log says. If you want to try run as non-root user create group lets say crond-users and change /var/run/crond.pid group from root to crond-users. Last but not least add your user to crond-users group. Like so:

RUN groupadd crond-users && 
    chgrp crond-users /var/run/crond.pid && 
    usermod -a -G crond-users 1001510000

命中 1

此外，docker 默认入口点是 /bin/bash -c 但没有默认命令.所以你的 Dockerfile 可能看起来像这样:

Moreover, docker default entrypoint is /bin/bash -c but does not have a default command. So your Dockerfile could look like this:

FROM centos:centos7.4.1708
RUN yum update -y && yum install -y cronie && rm -rf /var/lib/apt/lists/* && 
    cd / && mkdir /code && 
    chmod -R 755 /code/entrypoint.sh && 
    useradd -l -u 1001510000 -c "1001510000" 1001510000 && 
    addgroup crond-users && 
    chgrp crond-users /var/run/crond.pid && 
    usermod -a -G crond-users 1001510000

ADD entrypoint.sh /code/
USER 1001510000

CMD ["/code/entrypoint.sh", "top"]

提示 2.

尽量避免多次使用相同的 Dockerfile 指令(在您的情况下，您有 4 次运行).每条指令都是以后构建映像中的一个单独层.这就是众所周知的Dockerfile 最佳实践.

Try avoiding using multiple times the same Dockerfile instruction (In your case you had 4x RUN). Each instruction is a separate layer in later build image. This is known Dockerfile best practice.

最小化层数 在旧版本的 Docker 中，它是重要的是您最小化图像中的层数以确保它们的性能良好.添加了以下功能减少这个限制:

Minimize the number of layers In older versions of Docker, it was important that you minimized the number of layers in your images to ensure they were performant. The following features were added to reduce this limitation:

在 Docker 1.10 及更高版本中，只有指令 RUN、COPY、ADD create层.其他指令创建临时中间映像，以及不要直接增加构建的大小.

In Docker 1.10 and higher, only the instructions RUN, COPY, ADD create layers. Other instructions create temporary intermediate images, and do not directly increase the size of the build.

这篇关于如何在 Docker 容器中以非 root 用户身份启动 crond?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！