容器内用户和组的问题
[英]Problem with the User and Group inside a container
问题描述
Preliminary
初步的
First, a preliminary.首先,初步。 When running a docker container with a volume mapped to some part of the host, the user inside the docker container is usually root, so for files generated by the container, the Host cannot edit, modify or delete them.当运行一个卷映射到宿主机某部分的docker容器时,docker容器内的用户通常是root,所以对于容器产生的文件,宿主机是不能编辑、修改或删除它们的。 To solve this some people (including the one who created the image I am using) recommends using -u为了解决这个问题,有些人(包括创建我正在使用的图像的人)建议使用-u
The Situation情况
I have a Docker image (built by a different person in a different machine)我有一个 Docker 镜像(由不同的人在不同的机器上构建)
This Docker image assumes the user is going to be a user with id 1000此 Docker 映像假定用户将成为 ID 为 1000 的用户
The problem问题
When a person who is the only user of a Host machine (and whose user id is 1000) runs the image, there is no problem.当一个Host机器的唯一用户(并且其用户ID为1000)运行该图像时,没有问题。 However, in my case I am the second user of this Host so my user id is 1001. So I have the following:但是,就我而言,我是该主机的第二个用户,因此我的用户 ID 是 1001。所以我有以下内容:
In the Host I do cat /etc/passwd and I get several users including:在主机中,我执行cat /etc/passwd并获得多个用户,包括:
firstuser:x:1000:1000:firstluser,,,:/home/firstuser:/bin/bash
myself:x:1001:1001:My Name,,,:/home/myself:/bin/bash
Then :然后 :
CASE 1 I run the container with案例 1我运行容器
docker run -it --rm -u 1001:1001 -v /a/path:/another/path image /bin/bash
because doing id -u and id -g gives me 1001.(I am the second user after all)因为做id -u和id -g给了我 1001.(毕竟我是第二个用户)
Doing this causes that这样做会导致
groups:cannot find name for group ID 1001
then my user becomes "I have no name!"然后我的用户变成"I have no name!" and when I do cat/etc/passwd I get当我做cat/etc/passwd我得到
originaluser:x:1000:1000::/home/originaluser:bin/bash <---- here there are not ,,, originaluser:x:1000:1000::/home/originaluser:bin/bash <---- 这里没有,,,
so obviously my user (1001) does not exist which causes a lot of problems.所以显然我的用户(1001)不存在,这会导致很多问题。
To solve this I tried为了解决这个我试过
CASE2 I run the container with CASE2我用
docker run -it --rm -u 1000:1000 -v /a/path:/another/path image /bin/bash
which does not cause the previous error, and now even though I am myself but run the Docker image as firstuser , in the container I am originaluser (since both are 1000)这不会导致之前的错误,现在即使我myself但是作为firstuser运行 Docker 映像,在容器中我是originaluser (因为两者都是 1000)
Doing the cat /etc/passwd I can see做cat /etc/passwd我可以看到
originaluser:x:1000:1000::/home/sensetime:bin/bash
and as predicted my user is originaluser .正如预测的那样,我的用户是originaluser 。
I should be happy but, this also causes problems!我应该很高兴,但是,这也会引起问题!
Later on the program inside the container tries to create a file (with user 1000) but since it is mapped and the user owner is 1001 this creation fails.稍后,容器内的程序尝试创建一个文件(用户为 1000),但由于它已映射且用户所有者为 1001,因此此创建失败。
What is a good way to prevent all these problems and be able to synchronize the user in the host with the user in the container?什么是防止所有这些问题并能够将主机中的用户与容器中的用户同步的好方法?
1 个解决方案
解决方案1
1 2020-10-12 07:56:11
I recently discovered fixuid which may solve most of you problems.我最近发现了可以解决大多数问题的fixuid 。
The uid/gid in a container cannot (or is not expected to) match the ones on your host.容器中的 uid/gid 不能(或预计不会)与您主机上的 uid/gid 匹配。
The fixuid setuid go binary I linked above can solve this by changing the uid/gid of the user in docker to match the one you configured.我上面链接的fixuid setuid go binary 可以通过更改fixuid用户的 uid/gid 以匹配您配置的那个来解决这个问题。
For instance:例如:
Host: uid/gid/name=1001/1001/kansai主机:uid/gid/name=1001/1001/kansai
Guest user: uid/gid/name=1000/1000/user来宾用户:uid/gid/name=1000/1000/user
If you had add the fixuid binary in you container (build phase) then you can run:如果您在容器中添加了fixuid二进制文件(构建阶段),那么您可以运行:
docker run --rm -it -u $(id -u):$(id -g) -v /a/path:/another/path image fixuid /bin/bash
You can also set fixuid in an entrypoint so it will be easier to use.您还可以在入口点中设置fixuid ,以便更易于使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.