堆栈内存溢出
  简体   繁体   English

如何在 Fargate 上的 Amazon ECS 中以非 root 用户身份运行 docker 容器

[英]How to run docker containers as a non-root user in Amazon ECS on Fargate

 原文  2020-09-12 04:55:13       amazon-web-services/ docker/ aws-fargate

问题描述

A non-root user can run docker containers by using USER instruction.非 root 用户可以使用 USER 指令运行 docker 容器。
reference: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user参考: https : //docs.docker.com/develop/develop-images/dockerfile_best-practices/#user

I want to do that in Amazon ECS on Fargate.我想在 Fargate 上的 Amazon ECS 中执行此操作。

How does a non-root user run docker containers in Amazon ECS on Fargate?非 root 用户如何在 Fargate 上的 Amazon ECS 中运行 docker 容器?

Thank you in advance.先感谢您。

2 个解决方案

解决方案1
 2 已采纳  2020-09-12 05:10:31

If you happen to manage the Dockerfile, you may just include the USER directive to it to prevent the resulting container from running as root.如果您碰巧管理 Dockerfile,您可以只在其中包含USER指令,以防止生成的容器以 root 身份运行。 You may also create an ad-hoc Dockerfile with the FROM instruction pointing to the image you want to run as non-root, and the USER directive.您还可以创建一个临时 Dockerfile,其中FROM指令指向您要以非 root 身份运行的映像,以及USER指令。 All these require using a Dockerfile and building the image on your own.所有这些都需要使用 Dockerfile 并自行构建映像。

The other alternatives are removing the shell, which is something you could do after the container starts using rm , but this is a very basic mitigation that won't prevent from accessing sensible data in the container.其他替代方法是删除外壳,这是您可以在容器开始使用rm后执行的操作,但这是一个非常基本的缓解措施,不会阻止访问容器中的合理数据。

Finally, if using Kubernetes there is a policy to run as user or group.最后,如果使用 Kubernetes,则有一个以用户或组身份运行的策略。 I will directly paste the fragment of my source for this answer: AWS - EKS Best Practices Guide我将直接粘贴此答案的源代码片段: AWS - EKS 最佳实践指南

The Kubernetes podSpec includes a set of fields under spec.securityContext , that allow to let you specify the user and/or group to run your application as. Kubernetes podSpec 在spec.securityContextspec.securityContext字段,允许您指定运行应用程序的用户和/或组。 These fields are runAsUser and runAsGroup respectively.这些字段分别是runAsUserrunAsGroup You can mandate the use of these fields by creating a pod security policy.您可以通过创建 pod 安全策略来强制使用这些字段。 See https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups for further information on this topic.有关此主题的更多信息,请参阅https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups

解决方案2
 2  2020-10-29 16:44:15

在 Amazon ECS 中将容器映像作为 Fargate 任务运行时,有参数“user”、“privileged”,如下所述: https : //docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html用于指定用于运行容器的用户。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用亚马逊 ecs 运行 15 个 docker 容器 - How to run around 15 docker containers with amazon ecs 如何在 Fargate 容器中以非根身份访问 AWS ServiceAccount 令牌? - How to access AWS ServiceAccount token as non-root in a Fargate container? 如何在ECS Fargate上射击容器问题? - How to trouble shoot containers on ECS Fargate? 如何使用多个容器将 SSH 放入 AWS ECS Fargate? - How to SSH into AWS ECS Fargate with multiple containers? 在Amazon ECS上运行Docker映像 - Run docker image on amazon ecs 作为非根用户的 AWS CodeBuild - AWS CodeBuild as non-root user 如何启动具有公共 DNS 的 ECS Fargate 容器? - How can you launch ECS Fargate containers having a public DNS? 如何在 AWS ECS Fargate 中连接两个容器? - How to make two containers connectable in AWS ECS Fargate? 使用Amazon ECS运行Docker Network - Run Docker Network using Amazon ECS Amazon 内部 DNS 在 ECS 内部不工作 Docker 容器 - Amazon Internal DNS Not Working Inside ECS Docker Containers
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM