Dockerfile - 创建非 root 用户几乎会使图像大小翻倍
[英]Dockerfile - Creating non-root user almost doubles the image size
问题描述
Created an application image on top of ubuntu.
在 ubuntu 之上创建了一个应用程序映像。 The application requires a non-root user.该应用程序需要非 root 用户。
I am able to create the image and get it working but the RUN statement for creating new user significantly increases the size of this image.我能够创建图像并使其正常工作,但是用于创建新用户的RUN语句显着增加了该图像的大小。
Dockerfile snippet: Dockerfile 片段:
## create newuser and give correct permissions to home directory
RUN useradd newuser --create-home --shell /bin/bash && \
echo 'newuser:newpassword' | chpasswd && \
chown -R newuser:newuser /home/newuser && \
chmod 755 /home/newuser
USER newuser
WORKDIR /home/newuser
Is there a better way to create a new user?有没有更好的方法来创建新用户?
Thinking about alternate approaches, wonder if one uses multi-stage build to create this new user and then use copy --from to get relevant files in the final build.考虑替代方法,想知道是否使用多阶段构建来创建这个新用户,然后使用copy --from在最终构建中获取相关文件。 Not sure what those files would be.不确定这些文件是什么。
1 个解决方案
解决方案1
1 已采纳 2021-01-10 12:38:07
Don't chown the directory;不要chown目录; leave root owning it.让root拥有它。 You also shouldn't need to set a shell, or a password, or create a home directory;您也不需要设置 shell 或密码,或创建主目录; none of these things will be used in normal operation.这些东西都不会在正常操作中使用。
I'd suggest creating the user towards the start of the Dockerfile (it is fairly fixed and so this step can be cached) but only switching USER at the very end of the file, when you're setting up the metadata for how to run the container.我建议在 Dockerfile 的开头创建用户(它是相当固定的,因此可以缓存此步骤)但仅在文件的最后切换USER ,当您设置元数据以了解如何运行时容器。
A Node-based example:基于节点的示例:
FROM node:lts # debian-based
# Create the non-root user up front
RUN adduser --system --group --no-create-home newuser
# Copy and build the package as usual
WORKDIR /app
COPY package.json yarn.lock .
RUN yarn install
COPY . .
RUN yarn build
# Now the application is built
# And root owns all the files
# And that's fine
# Say how to run the container
EXPOSE 3000
USER newuser
CMD yarn start
Having root owning the files gives you a little extra protection in case something goes wrong.让root拥有文件可以为您提供一些额外的保护,以防出现问题。 If there's a bug that allows files in the container to be overwritten, having a different user owning those files prevents the application code or static assets from being inadvertently modified.如果存在允许覆盖容器中的文件的错误,则让其他用户拥有这些文件可防止应用程序代码或 static 资产被无意修改。
If your application needs to read or write files then you could create a specific directory for that:如果您的应用程序需要读取或写入文件,那么您可以为此创建一个特定目录:
# Towards the end of the file, but before the USER
RUN mkdir data && chown newuser data
This will let the operator mount some storage over the otherwise-empty directory.这将让操作员在原本为空的目录上挂载一些存储。 This is the only thing that has the newly created user ID in it at all, so if the storage comes with its own owner it shouldn't be an operational problem;这是唯一具有新创建的用户 ID 的东西,所以如果存储有自己的所有者,那么它不应该是一个操作问题; you need to also specify the matching user ID at container startup time.您还需要在容器启动时指定匹配的用户 ID。
docker run -u $(id -u) -v $PWD/data:/app/data ...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.