Docker 使用 gosu vs USER [英] Docker using gosu vs USER
问题描述
Docker 总是有一个 USER 命令以特定用户身份运行进程,但通常很多东西都必须以 ROOT 身份运行.
Docker kind of always had a USER command to run a process as a specific user, but in general a lot of things had to run as ROOT.
我见过很多使用 ENTRYPOINT 和 gosu 来降低进程运行的图像.
I have seen a lot of images that use an ENTRYPOINT with gosu to de-elevate the process to run.
我仍然对 gosu 的需求感到有些困惑.USER 还不够吗?
I'm still a bit confused about the need for gosu. Shouldn't USER be enough?
我知道 Docker 1.10 在安全性方面发生了很大变化,但我仍然不清楚在 docker 容器中运行进程的推荐方法.
I know quite a bit has changed in terms of security with Docker 1.10, but I'm still not clear about the recommended way to run a process in a docker container.
谁能解释一下我什么时候会使用 gosu 和 USER?
Can someone explain when I would use gosu vs. USER?
谢谢
Docker 最佳实践指南不是很清楚:它说如果进程可以在没有权限的情况下运行,请使用 USER,如果需要 sudo,则可能需要使用 gosu.这很令人困惑,因为可以在 Dockerfile 中以 ROOT 身份安装各种东西,然后创建一个用户并为其赋予适当的权限,最后切换到该用户并运行 CMD 作为该用户.那么为什么我们需要 sudo 或 gosu 呢?
The Docker best practice guide is not very clear: It says if the process can run without priviledges, use USER, if you need sudo, you might want to use gosu.
That is confusing because one can install all sorts of things as ROOT in the Dockerfile, then create a user and give it proper privileges, then finally switch to that user and run the CMD as that user.
So why would we need sudo or gosu then?
推荐答案
Dockerfiles 用于创建镜像.当您无法再在 Dockerfile 中的运行命令之间更改用户时,我认为 gosu 作为容器初始化的一部分更有用.
Dockerfiles are for creating images. I see gosu as more useful as part of a container initialization when you can no longer change users between run commands in your Dockerfile.
创建镜像后,像 gosu 这样的东西允许您在容器内的入口点末尾删除 root 权限.您最初可能需要 root 访问权限来执行一些初始化步骤(修复 uid、主机安装的卷权限等).然后一旦初始化,您就可以在没有 root 权限的情况下以 pid 1 的身份运行最终服务以干净地处理信号.
After the image is created, something like gosu allows you to drop root permissions at the end of your entrypoint inside of a container. You may initially need root access to do some initialization steps (fixing uid's, host mounted volume permissions, etc). Then once initialized, you run the final service without root privileges and as pid 1 to handle signals cleanly.
这是一个在 docker 和 jenkins 的镜像中使用 gosu 的简单示例:https://github.com/bmitch3020/詹金斯码头工人
Here's a simple example of using gosu in an image for docker and jenkins: https://github.com/bmitch3020/jenkins-docker
entrypoint.sh 查找/var/lib/docker.sock 文件的 gid 并更新容器内 docker 用户的 gid 以匹配.这允许将映像移植到主机上的 gid 可能不同的其他 docker 主机.更改组需要容器内的 root 访问权限.如果我在 dockerfile 中使用了 USER jenkins,我会被图像中定义的 docker 组的 gid 卡住,如果它与正在运行的 docker 主机的 gid 不匹配,它将无法工作在.但是在运行 gosu 所在的应用程序时可以删除 root 访问权限.
The entrypoint.sh looks up the gid of the /var/lib/docker.sock file and updates the gid of the docker user inside the container to match. This allows the image to be ported to other docker hosts where the gid on the host may differ. Changing the group requires root access inside the container. Had I used USER jenkins in the dockerfile, I would be stuck with the gid of the docker group as defined in the image which wouldn't work if it doesn't match that of the docker host it's running on. But root access can be dropped when running the app which is where gosu comes in.
在脚本结束时, exec 调用阻止 shell 派生 gosu,而是用该进程替换 pid 1.Gosu 反过来做同样的事情,切换 uid,然后执行 jenkins 进程,以便它作为 pid 1 接管.这允许正确处理信号,否则会被 shell 作为 pid 1 忽略.
At the end of the script, the exec call prevents the shell from forking gosu, and instead it replaces pid 1 with that process. Gosu in turn does the same, switching the uid and then exec'ing the jenkins process so that it takes over as pid 1. This allows signals to be handled correctly which would otherwise be ignored by a shell as pid 1.
这篇关于Docker 使用 gosu vs USER的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
