[英]how to modify /etc/resolv.conf as non root user in docker file or as script
Based on best practice and recommendation we should always run docker container as non root user for security reason. 基于最佳实践和建议,出于安全原因,我们应始终以非root用户身份运行docker容器。 While doing so I am facing one issue where I have to override /etc/resolv.conf file with domain name.
这样做时,我面临一个问题,我必须用域名覆盖/etc/resolv.conf文件。 I am appending domain name in resolv.conf file via script eg env.sh (I am calling this script as eg The Dockefile has following command
我通过脚本(例如env.sh)在resolv.conf文件中添加域名(我称该脚本为例如Dockefile具有以下命令
from dabian:latest
...
...
ENTRYPOINT[env.sh]
The script env.sh
simply append domain name based on environment eg dev/qa/prod etc. 脚本
env.sh
只是根据环境附加域名,例如dev / qa / prod等。
If I run docker container as root user there is no problem as the resolv.conf will get updated with appropriate domain name map (based on environment profile) but if I add non root user (in docker file ) and use the user and call ENTRYPOINT[evn.sh]
, the resolv.conf file will not get updated. 如果我以root用户身份运行docker容器,则没有问题,因为resolv.conf将使用适当的域名映射(基于环境配置文件)进行更新,但是如果我添加非root用户(在
ENTRYPOINT[evn.sh]
file中)并使用该用户并调用ENTRYPOINT[evn.sh]
, resolv.conf文件将不会更新。
Is it because the files like hosts or resolv.conf inside docker get always override by host configuration and only root are allowed to modify these file (which apparently looks like). 是因为docker内部的hosts或resolv.conf之类的文件总是被主机配置覆盖,并且只允许root用户修改这些文件(看起来像这样)。
My question is , Is it possible to do same as non root user or is there a way to grant non root user just enough permission to modify resolv.conf and yet run as non root user (may be scoping or limiting user privilege to just modify resolv.conf ) ? 我的问题是,是否可以与非root用户做同样的事情,或者有没有办法授予非root用户足够的权限来修改resolv.conf并以非root用户身份运行(可能是为了限制或限制用户权限以仅修改resolv.conf)吗? Has anyone come across this scenario ?
有没有人遇到这种情况?
you have two options: 您有两种选择:
run your container
as root
and run your application
using another user in your ENTRYPOINT
using: 以
root
用户身份运行container
,并使用ENTRYPOINT
另一个用户使用以下命令运行application
:
runuser -l YOUR_USER -c "COMMAND_TO_RUN"
or setting up passwordless sudo
and assign the user to it , something like this in Dockerfile
: 或设置无密码的
sudo
并将用户分配给它,在Dockerfile
类似这样:
RUN adduser YOUR_USER sudo
RUN sed -i.bkp -e \
's/%sudo\s\+ALL=(ALL\(:ALL\)\?)\s\+ALL/%sudo ALL=NOPASSWD:ALL/g' \
/etc/sudoers
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.