通过 Dockerfile 设置非 root 用户
[英]Set a Non-Root User by Dockerfile
问题描述
I write a Dockerfile for creating a React Application
我写了一个Dockerfile来创建一个React 应用程序
Dockerfile Instructions Dockerfile 说明
FROM node:16.13.1-alpine3.15
RUN npm i -g npm@8.6.0
RUN addgroup allusers && adduser -S -G allusers username
USER username
WORKDIR /application
COPY package*.json .
RUN npm i
COPY . .
EXPOSE 3003
CMD ["npm", "start"]
these instructions give me error这些说明给了我错误
#11 103.6 npm notice
#11 103.6 npm ERR! code EACCES
#11 103.6 npm ERR! syscall open
#11 103.6 npm ERR! path /application/package-lock.json
#11 103.6 npm ERR! errno -13
#11 103.6 npm ERR! Error: EACCES: permission denied, open '/application/package-lock.json'
#11 103.6 npm ERR! [Error: EACCES: permission denied, open '/application/package-lock.json'] {
#11 103.6 npm ERR! errno: -13,
#11 103.6 npm ERR! code: 'EACCES',
#11 103.6 npm ERR! syscall: 'open',
#11 103.6 npm ERR! path: '/application/package-lock.json'
#11 103.6 npm ERR! }
#11 103.6 npm ERR!
#11 103.6 npm ERR! The operation was rejected by your operating system.
#11 103.6 npm ERR! It is likely you do not have the permissions to access this file as the current user
#11 103.6 npm ERR!
#11 103.6 npm ERR! If you believe this might be a permissions issue, please double-check the
#11 103.6 npm ERR! permissions of the file and its containing directories, or try running
#11 103.6 npm ERR! the command again as root/Administrator.
#11 103.6
#11 103.7 npm ERR! A complete log of this run can be found in:
#11 103.7 npm ERR! /home/aliarya/.npm/_logs/2022-06-28T09_25_40_565Z-debug-0.log------
executor failed running [/bin/sh -c npm i]: exit code: 243
when I omit or comment当我省略或评论时
RUN addgroup allusers && adduser -S -G allusers username
USER username
I can build the image我可以构建图像
how to set a non-root user ?如何设置非root用户?
1 个解决方案
解决方案1
1 已采纳 2022-06-28 10:35:15
Move the USER username statement to the end of the file, near the CMD .将USER username语句移动到文件末尾,靠近CMD 。
RUN addgroup allusers && adduser -S -G allusers username
# still as root
...
RUN npm ci
...
# at the end of the file
USER username
CMD ["npm", "start"]
Things that are COPY ed into an image by default are owned by root.默认情况下被COPY到图像中的东西归根用户所有。 This means that, for example, the npm ci step can't create a node_modules directory, because the parent /application directory is owned by root but in your setup you're doing work as the "username" user.这意味着,例如, npm ci步骤无法创建node_modules目录,因为父/application目录归 root 所有,但在您的设置中,您以“用户名”用户身份工作。
In the final image, though, you want your code and libraries to be owned by root, or at least, you want the current user to not have permissions to overwrite them.但是,在最终图像中,您希望您的代码和库由 root 拥有,或者至少,您希望当前用户没有权限覆盖它们。 This protects you from accidentally changing things while the container is running, and limits the impact of some classes of bugs.这可以防止您在容器运行时意外更改内容,并限制某些类别的错误的影响。
So the easiest way to get there in most images is to run your build as root, and then switch to a non-root user only to run the resulting container.因此,在大多数镜像中,最简单的方法是以 root 身份运行构建,然后切换到非 root 用户仅运行生成的容器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.