Docker：如何为本地用户授予 root 权限？

Question

I'm running a build in Docker like this:

docker run --user $(id -u):$(id -g) --rm --network=host -v `pwd`:${SRC_MOUNT_DIR} my-image:latest my-build-script.sh

I'm setting the local user with --user in order to avoid root-owned files appearing in my home dir.

Now, the problem is that I'd need to use sudo apt install in my build script to install some dependencies from some other builds, but that would require root.

How could I arrange this? I guess it's not possible to make sudo work without password for all possible users..?

Answer 1

If the user inside your container can run sudo apt install ... then you may as well run everything in the container as root since any attack could just sudo ... any of the attack code. Instead:

• Consider whether you need to apt install inside the container, or if you can do that in your image. It would be much better to have binaries installed inside the image and deploy those instead of reinstalling the application every time you run the container.

• If you have a use case that requires root on startup, then start your container as root, and then drop to the user after finishing those root steps. Tools like gosu are well designed for this. For an example of an entrypoint that does this, I have a docker-base image with an entrypoint script that adds gosu and runs the CMD with an exec to avoid /bin/sh as pid 1 (this helps with signal handling).

Gosu can be found at: https://github.com/tianon/gosu