在 docker-compose 中运行容器时使用当前用户
[英]Using current user when running container in docker-compose
问题描述
Is there a way to execute or login as current user to a bash of specific container .
有没有办法以当前用户身份执行或登录到bash of specific container 。 I tried running docker-compose exec -u $USER phoenix bash but it says unable to find user raz: no matching entries in passwd file我尝试运行docker-compose exec -u $USER phoenix bash但它说无法找到用户 raz:密码文件中没有匹配条目
I tried another way by adding a useradd command in a dockerfile.我通过在 dockerfile 中添加 useradd 命令尝试了另一种方法。
FROM elixir:latest
ARG USER_ID
ARG GROUP_ID
RUN addgroup --gid $GROUP_ID raz
RUN adduser --disabled-password --gecos '' --uid $USER_ID --gid $GROUP_ID raz
USER raz
RUN apt-get update && \
apt-get install -y postgresql-client && \
apt-get install -y inotify-tools && \
apt-get install -y nodejs && \
curl -L https://npmjs.org/install.sh | sh && \
mix local.hex --force && \
mix archive.install hex phx_new 1.5.3 --force && \
mix local.rebar --force
COPY . /app
WORKDIR /app
COPY ./entrypoint.sh /entrypoint.sh
RUN ["chmod", "+x", "/entrypoint.sh"]
ENTRYPOINT ["/entrypoint.sh"]
but when I run docker-compose build I get a permission denied error when running the apt-get commands.但是当我运行docker-compose build时,我在运行 apt-get 命令时遇到权限被拒绝的错误。 I also look for gosu as a step down root user but it seems complicated.我也在寻找gosu作为根用户的降级,但它看起来很复杂。
Is it possible for added user in Dockerfile command to have same permission as my current user?在 Dockerfile 命令中添加的用户是否有可能与我当前用户具有相同的权限? I'm running WSL2 btw.顺便说一句,我正在运行 WSL2。
2 个解决方案
解决方案1
21 2022-02-08 00:48:51
Building on top of the answer by Joepreludian, focusing on docker-compose:以 Joepreludian 的答案为基础,重点关注 docker-compose:
You can use the user: and volumes: options in the compose file.您可以在撰写文件中使用user:和volumes:选项。 For example:例如:
my-service:
image: ubuntu:latest
user: ${MY_UID}:${MY_GID}
volumes:
- /etc/passwd:/etc/passwd:ro
- /etc/group:/etc/group:ro
and define these variables where you are starting your compose:并在您开始撰写的地方定义这些变量:
MY_UID="$(id -u)" MY_GID="$(id -g)" docker-compose up
解决方案2
4 已采纳 2021-02-09 04:19:35
This question is pretty interesting.这个问题挺有意思的。 Let me begin with a short explanation;让我先做一个简短的解释;
Understanding the problem了解问题
In fact the user that exists inside container will be valid only inside the container itself.实际上,存在于容器内的用户仅在容器本身内有效。 What you're trying to do is to use a user that exists outside a container, aka your docker host, inside a container.您想要做的是使用存在于容器外部的用户,也就是您的 docker 主机,位于容器内部。 Unfortunately this movement can't be done in a normal way;不幸的是,这个动作不能以正常方式进行;
For instance, let me try to change to my user in order to get this container:例如,让我尝试更改为我的用户以获取此容器:
$ docker run -it --rm --user jon ubuntu whoami
docker: Error response from daemon: unable to find user jon: no matching entries in passwd file.
I tried to run a classic ubuntu container inside my docker host;我试图在我的 docker 主机中运行一个经典的 ubuntu 容器; Despite the user exists on my local machine, The Docker image says that didn't find the user;尽管用户存在于我的本地机器上,Docker 镜像说没有找到用户;
$ id -a
uid=1000(jon) gid=1001(jon) groups=1001(jon),3(sys),90(network),98(power),108(vboxusers),962(docker),991(lp),998(wheel),1000(autologin)
The command above was executed on my compute, proving that "jon" username exists;上面的命令是在我的电脑上执行的,证明“jon”用户名存在;
Making my username available inside a container: a docker trick让我的用户名在容器内可用:一个 docker 技巧
I will suppose that you didn't created an user inside your container.我假设您没有在容器内创建用户。 For instance I'm going to use the ubuntu docker image;例如,我将使用 ubuntu docker 镜像;
The trick is to mount both files responsible for handling your user and group definition inside the container, causing the container being able to see you inside of it.诀窍是在容器内挂载负责处理用户和组定义的两个文件,使容器能够在其中看到您。
$ docker run -it --rm --volume /etc/passwd:/etc/passwd:ro --volume /etc/group:/etc/group:ro --user $(id -u) ubuntu whoami
jon
For a more complete example:一个更完整的例子:
$ docker run -it --rm --volume /etc/passwd:/etc/passwd:ro --volume /etc/group:/etc/group:ro --user $(id -u):$(id -g) ubuntu "id"
uid=1000(jon) gid=1001(jon) groups=1001(jon)
Notice that I used two volumes pointing to two files?
请注意,我使用了两个指向两个文件的卷? /etc/password and /etc/group? /etc/password 和 /etc/group? Both I mounted read only (appending ":ro") just for safety.为了安全起见,我只安装了只读(附加“:ro”)。Also notice that I used the
id -u, which brings me the user id (1000 on my case), forcing the user id for being the same of mine defined on my/etc/passwordfile.另请注意,我使用了id -u,它为我带来了用户 ID(在我的情况下为 1000),强制用户 ID 与我在/etc/password文件中定义的用户 ID 相同。
Caveat警告
If you try to set the username to jon rather than the UID you going to run into a issue;如果您尝试将用户名设置为jon而不是 UID,您将遇到问题;
$ docker run -it --rm --volume /etc/passwd:/etc/passwd:ro --volume /etc/group:/etc/group:ro --user jon ubuntu whoami
docker: Error response from daemon: unable to find user jon: no matching entries in passwd file.
This happens because the docker engine would try to change the username before mouting the volumes and this should exists before running the container.发生这种情况是因为 docker 引擎会在安装卷之前尝试更改用户名,这应该在运行容器之前存在。 If you provide a numeric representation of the user, this one doesn't needs to exist within the container, causing the trick to work;如果您提供用户的数字表示,则该用户不需要存在于容器中,从而使技巧起作用;
https://docs.docker.com/engine/reference/run/#user https://docs.docker.com/engine/reference/run/#user
I hope being helpful.我希望有帮助。 Be safe!注意安全!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.