在 Docker 映像中以非 root 用户身份运行 cronjob 的正确方法是什么?
[英]What is the proper way to run a cronjob as a non-root user in a Docker image?
问题描述
It's been a really long time since I've posted something here.
自从我在这里发布东西以来已经很长时间了。 I've been struggling with this for a while now and thought it would be the perfect time to come here.我已经为此苦苦挣扎了一段时间,并认为这将是来到这里的最佳时机。
I need a container image that would execute a cron job.我需要一个可以执行 cron 作业的容器映像。 The issue is that I need to run the container as a non-root user due to security reasons and best practices;问题是由于安全原因和最佳实践,我需要以非 root 用户身份运行容器; however, the default crond (busybox) won't execute as a non root.但是,默认的 crond (busybox) 不会以非 root 身份执行。 Therefore, I decided to use dcron , which is a lightweight cron daemon.因此,我决定使用dcron ,它是一个轻量级的 cron 守护进程。
Dockerfile: Dockerfile:
FROM alpine:3.12.1
RUN apk --no-cache add dcron
RUN adduser -S 11111 -u 11111 -G cron -s /bin/ash && \
chgrp cron /usr/sbin/crond && \
chmod 4770 /usr/sbin/crond
RUN echo "* * * * * date >> /tmp/log/test 2>&1" >> /etc/crontabs/11111
RUN chown 11111 /etc/crontabs/11111
USER 11111
CMD ["crond", "-f"]
Problem:问题:
When I run this container, I get the following output: setpgid: Operation not permitted .当我运行这个容器时,我得到以下 output: setpgid: Operation not permitted allowed 。
Interestingly though, if I omit the CMD from the Dockerfile and run crond -f inside the shell it will work just fine!有趣的是,如果我从 Dockerfile 中省略 CMD 并在 shell 中运行crond -f ,它将正常工作!
Any suggestions would be highly appreciated!任何建议将不胜感激!
2 个解决方案
解决方案1
0 2020-12-15 21:27:59
So after some investigation, I ended up not using cron at all and doing something simple instead.因此,经过一番调查,我最终根本没有使用 cron,而是做了一些简单的事情。 Not an ideal solution, but does what I need at the moment.不是一个理想的解决方案,但可以满足我目前的需要。 I am going to share it here, but please do share a proper way to solve this if you know.我将在这里分享它,但如果您知道,请分享解决此问题的正确方法。 For example, with the following a 'job' will run every 12 hours:例如,使用以下“作业”将每 12 小时运行一次:
Dockerfile: Dockerfile:
FROM alpine:3.12.1
COPY entrypoint.sh /usr/local/bin
RUN chmod +x /usr/local/bin/entrypoint.sh
ENTRYPOINT ["entrypoint.sh"]
entrypoint.sh入口点.sh
#!/usr/bin/env ash
while true; do
echo "$(date) Hello there!"
sleep "12h"
done
Additional information附加信息
Some other solutions that you might find interesting:您可能会觉得有趣的其他一些解决方案:
- https://github.com/aptible/supercronic/ https://github.com/aptible/supercronic/
- https://hub.docker.com/r/blacklabelops/logrotate https://github.com/blacklabelops/logrotate https://hub.docker.com/r/blacklabelops/logrotate https://github.com/blacklabelops/logrotate
- https://medium.com/@geekidea_81313/running-cron-jobs-as-non-root-on-alpine-linux-e5fa94827c34 https://medium.com/@geekidea_81313/running-cron-jobs-as-non-root-on-alpine-linux-e5fa94827c34
Some of the suggestions like (3) didn't work, and (1,2) were a little too complex for what I needed.像(3)这样的一些建议不起作用,而(1,2)对于我需要的东西来说有点太复杂了。
解决方案2
0 2021-03-26 16:19:23
If your docker container is running as non root user, you cannot start the cron daemon as it requires root privilege to start.如果您的 docker 容器以非 root 用户身份运行,则无法启动 cron 守护程序,因为它需要 root 权限才能启动。
It is worth to explore https://github.com/aptible/supercronic/ which gives you similar set of cron that can be run without root user privileges and it is equivalent to cron. https://github.com/aptible/supercronic/值得探索,它为您提供了类似的 cron 集,可以在没有 root 用户权限的情况下运行,它相当于 cron。
Build from Source:从源代码构建:
go get -d github.com/aptible/supercronic
cd "${GOPATH}/src/github.com/aptible/supercronic"
go mod vendor
go install
Download Binaries:下载二进制文件:
https://github.com/aptible/supercronic/releases https://github.com/aptible/supercronic/releases
To better performance, you can store the binaries in antifactory and read using docker build.为了获得更好的性能,您可以将二进制文件存储在 antifactory 中并使用 docker 构建读取。
Hack哈克
You can cross build and generate the binaries.您可以交叉构建和生成二进制文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.