如何在Docker Docker中以非root用户身份运行Docker命令？ [英] How to run Docker commands as non-root user in Docker in Docker?

问题描述

我有以下Docker文件：

I have the following Dockerfile:

FROM docker

RUN addgroup docker && \
    adduser -DH demo && \
    addgroup demo docker

CMD /bin/sh

在此图像中，我创建一个名为demo的用户，然后将其添加到名为docker的组中。这几乎是如何设置完整的环境，以便非root /非sudo用户可以发出docker命令。但是，它对我来说并不奏效。我失踪了什么我尝试将用户和组（通过用户和组ID）映射到主机系统上的用户，但仍然没有工作。我在Docker for Mac Beta（1.12.0-rc3-beta18）中运行这个。

In this image, I'm creating a user called demo, which is then added to a group called docker. This is pretty much how full fledged environments are set up so that non-root/non-sudo users can issue docker commands. However, it doesn't work for me. What am I missing? I tried mapping the user and groups (via user, and group id's) to the user on the host system, but it still didn't work. I'm running this in Docker for Mac Beta (1.12.0-rc3-beta18).

推荐答案

这是一个扩展问题的评论。

This is an extension to the problem's comment.

所以OP的用例是通过使用docker内的 docker来调查持续的集成环境架构或方法，如果你喜欢。

So OP's use-case is about investigating a continuous integration environment through using the docker within docker architecture, or approach if you like.

从docker的官方博客发布嵌套容器，是，可以做到这一点，正如jpetazzo进一步解释的那样，嵌套的先驱者集装箱概念;为了使架构正常工作，可能需要大量的黑客工作，因为嵌套架构不完美主要是由于以下缺点：

From docker's official blog posting for nested containers, yes this can be done however, as explained further by jpetazzo, a pioneer contributor to the nested container concept; to get the architecture to work properly a significant amount of hackie effort might be needed as the nesting architecture is not perfect mainly due to the following disadvantages;

示例：

1 - 安全配置文件

1 - Security profile

启动容器时， 内部Docker可能会尝试应用
安全配置文件，这将会冲突或混淆外部Docker。

When starting a container, the "inner Docker" might try to apply security profiles that will conflict or confuse the "outer Docker."

2 - 存储

第二个问题与存储驱动程序相关联。当您在
Docker中运行Docker时，外部Docker运行在正常文件系统（EXT4，
BTRFS，您有什么）之上，但内部Docker运行在
副本之上写入系统（AUFS，BTRFS，Device Mapper等，取决于
外部Docker的设置使用）。有很多组合
将不起作用。
2
3 - 难以在子容器中重复使用图像

The second issue is linked to storage drivers. When you run Docker in Docker, the outer Docker runs on top of a normal filesystem (EXT4, BTRFS, what have you) but the inner Docker runs on top of a copy-on-write system (AUFS, BTRFS, Device Mapper, etc., depending on what the outer Docker is setup to use). There are many combinations that won’t work. 2 3 - Difficult to reuse images in child containers

构建缓存怎么样？那个也可以变得很棘手。
人们经常问我：我在Docker-in-Docker里跑;我如何使用位于我的主机上的
图像，而不是再次在我的
内部的Docker中拉一切？

And what about the build cache? That one can get pretty tricky too. People often ask me, "I’m running Docker-in-Docker; how can I use the images located on my host, rather than pulling everything again in my inner Docker?"

Q）可能解决这个问题？

A：我猜想OP正在试验的原因使用嵌套的容器架构，可以使用容器作为某种形式的根，然后通过docker命令来编排其子容器？

A: I guess the reason why OP was experimenting with a nested container architecture was so that he can use a container, as some form of root, then orchestrate its child containers through docker commands?

如果这是想法，那么这仍然可以通过标准的非嵌套方式实现。也就是说，不是将流式邮件发送到主机实例，而是将其发送回主机实例，让主机实例为您创建root容器。例;使用docker REST api从容器发送docker命令。

If that is the idea then this is still achievable through the standard non-nested way. That is, instead of sending docker commands down the stream, you send it back to the host instance and let the host instance do the command for you the root container instead. Example; use docker REST api to send docker commands from a container.

这篇关于如何在Docker Docker中以非root用户身份运行Docker命令？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！