如何在 Docker 容器中以非 root 用户身份启动 crond? [英] How to start crond as non-root user in a Docker Container?
问题描述
我正在使用下面的 Dockerfile
和 entrypoint.sh
.我需要以非 root 用户身份在容器中启动 crond
服务,但我得到 Permission denied
.如何以非 root 用户身份启动 crond
服务?
I am using the below Dockerfile
and entrypoint.sh
. I need to start the crond
service in the container as a non-root user but I get Permission denied
. How do I start the crond
service as a non-root user?
我需要在 Dockerfile
中有 USER
,因为它是我的 Openshift 3 平台中的强制性管理设置.
I need have USER
in Dockerfile
as it is a mandatory admin setting in my Openshift 3 Platform.
Dockerfile
FROM centos:centos7.4.1708
RUN yum update -y && yum install -y cronie && rm -rf /var/lib/apt/lists/*
RUN cd / && mkdir /code
ADD entrypoint.sh /code/
RUN chmod -R 755 /code/entrypoint.sh
ENTRYPOINT ["/code/entrypoint.sh"]
RUN useradd -l -u 1001510000 -c "1001510000" 1001510000
USER 1001510000
CMD ["top"]
entrypoint.sh
#!/bin/bash
echo "in the entrypoint!"
echo "executing id"
id
echo "executing crond start"
crond start
echo "executing $@"
$@
错误输出
in the entrypoint!
executing id
uid=1001510000(1001510000) gid=1000(1001510000) groups=1000(1001510000)
executing crond start
crond: can't open or create /var/run/crond.pid: Permission denied
executing top
推荐答案
首先 crond
必须代表其他用户调用命令.如果没有 root
运行,它怎么能做到这一点?即使您以某种方式与该用户一起运行这个恶魔进程,它也很可能缺乏其他权限来运行某些命令.
First of all crond
has to invoke commands on behalf of other users. How could it do that without being run by root
? Even if somehow you will run this demon process with this user there is a high probability that it will lack other permissions in order to run certain commands.
但我想你可以试试,也许这会有所帮助:
您的用户根本没有如错误日志所说的权限.如果您想尝试以非 root 用户身份运行,请创建组让我们说 crond-users
并更改 /var/run/crond.pid
组从 root
到 crond-users
.最后但并非最不重要的一点是将您的用户添加到 crond-users
组.像这样:
Your user simply doesn't have permissions as error log says. If you want to try run as non-root user create group lets say crond-users
and change /var/run/crond.pid
group from root
to crond-users
. Last but not least add your user to crond-users
group.
Like so:
RUN groupadd crond-users &&
chgrp crond-users /var/run/crond.pid &&
usermod -a -G crond-users 1001510000
命中 1
此外,docker 默认入口点是 /bin/bash -c
但没有默认命令.所以你的 Dockerfile 可能看起来像这样:
Moreover, docker default entrypoint is /bin/bash -c
but does not have a default command. So your Dockerfile could look like this:
FROM centos:centos7.4.1708
RUN yum update -y && yum install -y cronie && rm -rf /var/lib/apt/lists/* &&
cd / && mkdir /code &&
chmod -R 755 /code/entrypoint.sh &&
useradd -l -u 1001510000 -c "1001510000" 1001510000 &&
addgroup crond-users &&
chgrp crond-users /var/run/crond.pid &&
usermod -a -G crond-users 1001510000
ADD entrypoint.sh /code/
USER 1001510000
CMD ["/code/entrypoint.sh", "top"]
提示 2.
尽量避免多次使用相同的 Dockerfile 指令(在您的情况下,您有 4 次运行).每条指令都是以后构建映像中的一个单独层.这就是众所周知的Dockerfile 最佳实践.
Try avoiding using multiple times the same Dockerfile instruction (In your case you had 4x RUN). Each instruction is a separate layer in later build image. This is known Dockerfile best practice.
最小化层数 在旧版本的 Docker 中,它是重要的是您最小化图像中的层数以确保它们的性能良好.添加了以下功能减少这个限制:
Minimize the number of layers In older versions of Docker, it was important that you minimized the number of layers in your images to ensure they were performant. The following features were added to reduce this limitation:
在 Docker 1.10 及更高版本中,只有指令 RUN、COPY、ADD create层.其他指令创建临时中间映像,以及不要直接增加构建的大小.
In Docker 1.10 and higher, only the instructions RUN, COPY, ADD create layers. Other instructions create temporary intermediate images, and do not directly increase the size of the build.
这篇关于如何在 Docker 容器中以非 root 用户身份启动 crond?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!