[英]Docker: How to give root permissions for the local user?
I'm running a build in Docker like this:我正在像这样在 Docker 中运行构建:
docker run --user $(id -u):$(id -g) --rm --network=host -v `pwd`:${SRC_MOUNT_DIR} my-image:latest my-build-script.sh
I'm setting the local user with --user
in order to avoid root-owned files appearing in my home dir.我正在使用
--user
设置本地用户,以避免 root 拥有的文件出现在我的主目录中。
Now, the problem is that I'd need to use sudo apt install
in my build script to install some dependencies from some other builds, but that would require root.现在,问题是我需要在我的构建脚本中使用
sudo apt install
来安装来自其他一些构建的一些依赖项,但这需要 root。
How could I arrange this?我怎么安排这个? I guess it's not possible to make
sudo
work without password for all possible users..?我想不可能让所有可能的用户在没有密码的情况下使
sudo
工作..?
If the user inside your container can run sudo apt install ...
then you may as well run everything in the container as root since any attack could just sudo ...
any of the attack code.如果您容器内的用户可以运行
sudo apt install ...
那么您也可以以 root 身份运行容器中的所有内容,因为任何攻击都可以sudo ...
任何攻击代码。 Instead:反而:
Consider whether you need to apt install
inside the container, or if you can do that in your image.考虑是否需要在容器内
apt install
,或者是否可以在图像中安装。 It would be much better to have binaries installed inside the image and deploy those instead of reinstalling the application every time you run the container.最好在映像中安装二进制文件并部署它们,而不是每次运行容器时都重新安装应用程序。
If you have a use case that requires root on startup, then start your container as root, and then drop to the user after finishing those root steps.如果您有一个在启动时需要 root 的用例,那么以 root 身份启动您的容器,然后在完成这些 root 步骤后将其交给用户。 Tools like
gosu
are well designed for this.像
gosu
这样的工具就是为此而设计的。 For an example of an entrypoint that does this, I have a docker-base image with an entrypoint script that adds gosu
and runs the CMD with an exec
to avoid /bin/sh
as pid 1 (this helps with signal handling).对于执行此操作的入口点示例,我有一个带有入口点脚本的 docker-base 映像,该脚本添加
gosu
并使用exec
运行 CMD 以避免/bin/sh
作为 pid 1(这有助于信号处理)。
Gosu can be found at: https://github.com/tianon/gosu Gosu 可以在以下位置找到: https : //github.com/tianon/gosu
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.