[英]Switching users inside Docker image to a non-root user
I'm trying to switch user to the tomcat7 user in order to setup SSH certificates.我正在尝试将用户切换到 tomcat7 用户以设置 SSH 证书。
When I do su tomcat7
, nothing happens.当我执行
su tomcat7
,没有任何反应。
whoami
still ruturns root after doing su tomcat7
执行
su tomcat7
后whoami
仍然 ruturns root
Doing a more /etc/passwd
, I get the following result which clearly shows that a tomcat7 user exists:执行
more /etc/passwd
,我得到以下结果,清楚地表明存在 tomcat7 用户:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
messagebus:x:101:104::/var/run/dbus:/bin/false
colord:x:102:105:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:103:106::/home/saned:/bin/false
tomcat7:x:104:107::/usr/share/tomcat7:/bin/false
What I'm trying to work around is this error in Hudson:我试图解决的是 Hudson 中的这个错误:
Command "git fetch -t git@________.co.za:_______/_____________.git +refs/heads/*:refs/remotes/origin/*" returned status code 128: Host key verification failed.
This is my Dockerfile, it takes an existing hudson war file and config that is tarred and builds an image, hudson runs fine, it just can't access git due to certificates not existing for user tomcat7.这是我的 Dockerfile,它需要一个现有的 hudson 战争文件和配置,该文件被压缩并构建一个映像,hudson 运行良好,但由于用户 tomcat7 的证书不存在,它无法访问 git。
FROM debian:wheezy
# install java on image
RUN apt-get update
RUN apt-get install -y openjdk-7-jdk tomcat7
# install hudson on image
RUN rm -rf /var/lib/tomcat7/webapps/*
ADD ./ROOT.tar.gz /var/lib/tomcat7/webapps/
# copy hudson config over to image
RUN mkdir /usr/share/tomcat7/.hudson
ADD ./dothudson.tar.gz /usr/share/tomcat7/
RUN chown -R tomcat7:tomcat7 /usr/share/tomcat7/
# add ssh certificates
RUN mkdir /root/.ssh
ADD ssh.tar.gz /root/
# install some dependencies
RUN apt-get update
RUN apt-get install --y maven
RUN apt-get install --y git
RUN apt-get install --y subversion
# background script
ADD run.sh /root/run.sh
RUN chmod +x /root/run.sh
# expose port 8080
EXPOSE 8080
CMD ["/root/run.sh"]
I'm using the latest version of Docker (Docker version 1.0.0, build 63fe64c/1.0.0), is this a bug in Docker or am I missing something in my Dockerfile?我正在使用最新版本的 Docker(Docker 版本 1.0.0,构建 63fe64c/1.0.0),这是 Docker 中的错误还是我的 Dockerfile 中缺少某些内容?
You should not use su
in a dockerfile , however you should use the USER
instruction in the Dockerfile.你不应该在dockerfile 中使用
su
,但是你应该在 Dockerfile 中使用USER
指令。
At each stage of the Dockerfile build, a new container is created so any change you make to the user will not persist on the next build stage.在Dockerfile构建的每个阶段,都会创建一个新容器,因此您对用户所做的任何更改都不会保留在下一个构建阶段。
For example:例如:
RUN whoami
RUN su test
RUN whoami
This would never say the user would be test
as a new container is spawned on the 2nd whoami.这永远不会说用户将在第二个 whoami 上生成一个新容器时进行
test
。 The output would be root on both (unless of course you run USER beforehand).两者的输出都是 root(当然,除非您事先运行 USER)。
If however you do:但是,如果您这样做:
RUN whoami
USER test
RUN whoami
You should see root
then test
.你应该看到
root
然后test
。
Alternatively you can run a command as a different user with sudo with something like或者,您可以使用 sudo 以其他用户身份运行命令,例如
sudo -u test whoami
But it seems better to use the official supported instruction.但是使用官方支持的指令似乎更好。
As a different approach to the other answer, instead of indicating the user upon image creation on the Dockerfile, you can do so via command-line on a particular container as a per-command basis.作为另一个答案的不同方法,您可以通过特定容器上的命令行作为每个命令的基础,而不是在 Dockerfile 上创建图像时指示用户。
With docker exec
, use --user
to specify which user account the interactive terminal will use (the container should be running and the user has to exist in the containerized system):使用
docker exec
,使用--user
指定交互式终端将使用哪个用户帐户(容器应该正在运行并且用户必须存在于容器化系统中):
docker exec -it --user [username] [container] bash
See https://docs.docker.com/engine/reference/commandline/exec/见https://docs.docker.com/engine/reference/commandline/exec/
In case you need to perform privileged tasks like changing permissions of folders you can perform those tasks as a root user and then create a non-privileged user and switch to it.如果您需要执行特权任务,例如更改文件夹的权限,您可以以 root 用户身份执行这些任务,然后创建一个非特权用户并切换到该用户。
FROM <some-base-image:tag>
# Switch to root user
USER root # <--- Usually you won't be needed it - Depends on base image
# Run privileged command
RUN apt install <packages>
RUN apt <privileged command>
# Set user and group
ARG user=appuser
ARG group=appuser
ARG uid=1000
ARG gid=1000
RUN groupadd -g ${gid} ${group}
RUN useradd -u ${uid} -g ${group} -s /bin/sh -m ${user} # <--- the '-m' create a user home directory
# Switch to user
USER ${uid}:${gid}
# Run non-privileged command
RUN apt <non-privileged command>
You should also be able to do:您还应该能够:
apt install sudo
sudo -i -u tomcat
Then you should be the tomcat user.那么你应该是 tomcat 用户。 It's not clear which Linux distribution you're using, but this works with Ubuntu 18.04 LTS, for example.
目前尚不清楚您使用的是哪个 Linux 发行版,但这适用于 Ubuntu 18.04 LTS,例如。
There's no real way to do this.没有真正的方法可以做到这一点。 As a result, things like mysqld_safe fail, and you can't install mysql-server in a Debian docker container without jumping through 40 hoops because.. well... it aborts if it's not root.
结果,诸如 mysqld_safe 之类的事情失败了,并且您无法在 Debian docker 容器中安装 mysql-server 而不跳过 40 圈,因为……好吧……如果它不是 root,它就会中止。
You can use USER, but you won't be able to apt-get install if you're not root.您可以使用 USER,但如果您不是 root,您将无法 apt-get install。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.