从Docker容器中以不同用户身份运行命令/脚本
[英]Run Commands/Scripts as Different User from within Docker Container
问题描述
First off, I know this may not be the most "containerized" solution to a problem. 
首先,我知道这可能不是问题的最“容器化”解决方案。 At this point though, I am wondering if I will have to scrap what I have so far or if I can make this work. 不过,在这一点上,我想知道我是否必须放弃目前的工作,或者是否可以进行这项工作。
I need to move files between servers and back them up. 我需要在服务器之间移动文件并备份它们。 I currently have a script which does that. 我目前有一个脚本可以做到这一点。 The user I run this script as has keys to all the servers and thus rsync'ing from server to server is no issue for this script. 我运行此脚本的用户具有所有服务器的密钥,因此该脚本在服务器之间进行rsync同步是没有问题的。
I am now creating a webservice that users can ping to move their files securely and with a backup. 我现在正在创建一个Web服务,用户可以Ping安全地移动其文件并进行备份。 This prevents them having to contact me to run the script, and will allow for integration with some workflow software later on. 这样可以避免他们与我联系以运行脚本,并且以后可以与某些工作流程软件集成。
However, my docker container which catches the http request to the webservice will not have keys to everywhere and thus cannot run the script successfully. 但是,我的docker容器捕获到Web服务的http请求时,不会在任何地方都有密钥,因此无法成功运行脚本。 I am looking for a solution that will allow me to run this script while also having a webservice that users can make requests to. 我正在寻找一种解决方案,使我可以运行此脚本,同时还具有用户可以向其发出请求的Web服务。 My original hope was for the route to basically pass on args and run the script. 我最初的希望是该路由基本上传递args并运行脚本。
I don't know the feasability of the following ideas, but they are the two thoughts I have had so far. 我不知道以下想法的可行性,但这是我到目前为止的两个想法。
- Run the docker container as my user which has keys everywhere 以我的用户身份运行Docker容器,该容器随处可见密钥
- Give the docker keys to everywhere on startup 在启动时将Docker密钥提供给任何地方
Would anyone have any suggestions on how to do the above or a possible solution to the problem? 有人会对上述方法或对该问题的可能解决方案有任何建议吗?
Feel free to ask more questions as I know it is a weird issue. 随时问更多问题,因为我知道这是一个奇怪的问题。 Thanks in advance for any help! 在此先感谢您的帮助!
1 个解决方案
解决方案1
1 已采纳 2017-10-02 23:18:32
We can't get around the fact that something will need the keys if we're going to manually run the transfer over SSH. 如果我们要通过SSH手动运行传输,我们将无法避免某些东西需要密钥的事实。 Similar to "give the docker keys to everywhere on startup", we could bind-mount the keys into the container as a volume: 类似于“在启动时将docker密钥提供给任何地方”,我们可以将密钥作为卷绑定安装到容器中:
$ docker run -d -v /host/path/to/keys:/container/path/to/keys:ro image command ...
This gives the container read-only access to the keys on the host. 这使容器对主机上的密钥具有只读访问权限。 It also lets us update the keys on the host when needed without needing to restart the container. 它还使我们可以在需要时更新主机上的密钥,而无需重新启动容器。
We could get fancy with this by storing keys in a dedicated secrets storage service, and the container can fetch the keys when needed, but for this simple use case, I don't see the need to build more complexity than necessary. 我们可以通过将密钥存储在专用机密存储服务中来实现此目的,并且容器可以在需要时获取密钥,但是对于这个简单的用例,我认为不需要构建比必要的复杂性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.