在Docker内运行应用程序作为非root用户 [英] Running app inside Docker as non-root user
问题描述
在昨天的Shocker的消息之后,似乎Docker容器中的应用程序不应该以root身份运行。我尝试更新我的 Dockerfile 以创建一个应用程序用户,但是更改应用程序文件的权限(仍然是root)似乎不起作用。我猜这是因为一些LXC权限没有被授予root用户吗?
这是我的Dockerfile:
#Node.js app Docker文件
FROM dockerfile / nodejs
维护者Thom Nicholsthom@thomnichols.org
RUN useradd -ms / bin / bash node
添加。 / data
#下一行似乎没有任何影响:
RUN chown -R node / data
ENV HOME / home / node
USER节点
运行cd / data&& npm安装
EXPOSE 8888
WORKDIR / data
CMD [npm,start]
相当直截了当,但是当我 ls -l </ code>所有内容仍然由root拥有: / p>
[node @ ed7ae33e76e1:/ data {docker-nonroot-user}] $ ls -l / data
total 64K
-rw-r - r-- 1 root root 383 Jun 18 20:32 Dockerfile
-rw-r - r-- 1 root root 862 Jun 18 16:23 Gruntfile.js
-rw-r - r-- 1 root root 1.2K Jun 18 15:48 README.md
drwxr-xr-x 4 root root 4.0K May 30 14:24 assets /
- rw-r - r-- 1根根416 6月3日14:22 bower.json
-rw-r - r-- 1根根930 5月30日01:50 config.js
drwxr -xr-x 4根根4.0K Jun 18 16:08 lib /
drwxr-xr-x 42 root root 4.0K Jun 18 16:04 node_modules /
-rw-r - r-- 1根根2.0K Jun 18 16:04 package.json
-rw-r - r-- 1根根118 5月30日18:35 server.js
drwxr-xr-x 3根根4.0K May 30 02:17 static /
drwxr-xr-x 3 root root 4.0K Jun 18 20:13 tes t /
drwxr-xr-x 3 root root 4.0K Jun 3 17:38 views /
< hr>
我更新的dockerfile很棒谢谢到@ creak澄清卷的工作原理。一旦初始文件为 chown ed, npm install 以非root用户身份运行。而且由于 postinstall 钩子,npm运行 bower install&& grub资源它负责处理剩余的安装步骤,并避免任何需要 npm install -g 任何节点cli工具,如bower,grunt或coffeescript。
这个有点棘手,实际上是由于你从...开始的图像。 b
如果您查看源,您会注意到 / data / 是一个卷。因此,在$ code> Dockerfile 中执行的所有操作将在运行时被所挂载的卷丢弃并覆盖。
您可以在运行时通过将CMD更改为类似于 CMD chown -R node / data& amp;& npm开始。
After yesterday's news of Shocker, it seems like apps inside a Docker container should not be run as root. I tried to update my Dockerfile to create an app user however changing permissions on app files (while still root) doesn't seem to work. I'm guessing this is because some LXC permission is not being granted to the root user maybe?
Here's my Dockerfile:
# Node.js app Docker file
FROM dockerfile/nodejs
MAINTAINER Thom Nichols "thom@thomnichols.org"
RUN useradd -ms /bin/bash node
ADD . /data
# This next line doesn't seem to have any effect:
RUN chown -R node /data
ENV HOME /home/node
USER node
RUN cd /data && npm install
EXPOSE 8888
WORKDIR /data
CMD ["npm", "start"]
Pretty straightforward, but when I ls -l everything is still owned by root:
[ node@ed7ae33e76e1:/data {docker-nonroot-user} ]$ ls -l /data
total 64K
-rw-r--r-- 1 root root 383 Jun 18 20:32 Dockerfile
-rw-r--r-- 1 root root 862 Jun 18 16:23 Gruntfile.js
-rw-r--r-- 1 root root 1.2K Jun 18 15:48 README.md
drwxr-xr-x 4 root root 4.0K May 30 14:24 assets/
-rw-r--r-- 1 root root 416 Jun 3 14:22 bower.json
-rw-r--r-- 1 root root 930 May 30 01:50 config.js
drwxr-xr-x 4 root root 4.0K Jun 18 16:08 lib/
drwxr-xr-x 42 root root 4.0K Jun 18 16:04 node_modules/
-rw-r--r-- 1 root root 2.0K Jun 18 16:04 package.json
-rw-r--r-- 1 root root 118 May 30 18:35 server.js
drwxr-xr-x 3 root root 4.0K May 30 02:17 static/
drwxr-xr-x 3 root root 4.0K Jun 18 20:13 test/
drwxr-xr-x 3 root root 4.0K Jun 3 17:38 views/
My updated dockerfile works great thanks to @creak's clarification of how volumes work. Once the initial files are chowned, npm install is run as the non-root user. And thanks to a postinstall hook, npm runs bower install && grunt assets which takes care of the remaining install steps and avoids any need to npm install -g any node cli tools like bower, grunt or coffeescript.
This one is a bit tricky, it is actually due to the image you start from.
If you look at the source, you notice that /data/ is a volume. So everything you do in the Dockerfile will be discarded and overridden at runtime by the volume that gets mounted then.
You can chown at runtime by changing your CMD to something like CMD chown -R node /data && npm start.
这篇关于在Docker内运行应用程序作为非root用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
