[英]Can you start a process inside a Docker container as root, while having the default user of an exec call be non-root?
I'm basically trying to run crond -f
as root, while having the default user be something different. 我基本上试图以root身份运行
crond -f
,而默认用户则不同。
Since the crontabs it runs use sensitive information from other files on the image, I want to give root access to these files, start the crond process, then switch the user to a newly created one. 由于它运行的crontabs使用来自映像上其他文件的敏感信息,我想对这些文件进行root访问,启动crond进程,然后将用户切换到新创建的文件。 This way the cronjobs will be able to get the information they need, while securing the sensitive files in the container from anyone who may get exec access.
通过这种方式,cronjobs将能够获得所需的信息,同时保护容器中的敏感文件免受任何可能获得exec访问权限的人的攻击。
have tried a couple things like this: 尝试过这样的事情:
USER root
CMD ["./runCrons.sh"]
USER newuser
But this does not run the crond process as root, but as newuser. 但这并不是以root身份运行crond进程,而是以newuser身份运行。
If anyone has a solution it would save me some digging and experimentation. 如果有人有解决方案,它将节省我一些挖掘和实验。
While building the Docker image, create a user which belongs to sudo group and is allowed to run all sudo commands without a password. 在构建Docker镜像时,创建属于sudo组的用户,并允许在没有密码的情况下运行所有sudo命令。
Consider the below example which creates a docker image called test with user named myuser with sudo pass: 考虑下面的示例,它创建一个名为test的docker镜像,用户名为myuser with sudo pass:
$ cat Dockerfile
FROM debian:latest
ENV user_name myuser
RUN apt-get update
RUN apt-get install -y sudo
RUN useradd --create-home -s /bin/bash ${user_name}
RUN echo "${user_name} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${user_name}
WORKDIR /home/${user_name}
USER ${user_name}
CMD /bin/bash
Then build the image: 然后构建图像:
docker build -t test
. docker build -t test
。
Now to fix cron permissions issues for standard user, make sure all commands used on cron scripts start with sudo, like below. 现在要修复标准用户的cron权限问题,确保cron脚本上使用的所有命令都以sudo开头,如下所示。
CMD ["sudo ./runCrons.sh"]
Since no password is expected when using sudo, everything should execute fine and you should be good to go. 由于使用sudo时不需要密码,所以一切都应该执行得很好,你应该好好去。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.