我應該在此 Dockerfile 中更改什么以區分主機和容器用戶權限?
[英]What should I change in this Dockerfile to differentiate host and container user permissions?
問題描述
為了避免 root 用戶在容器中運行,我得到了以下 Dockerfile:
FROM public.ecr.aws/docker/library/node:14-alpine AS deps
RUN apk add --no-cache libc6-compat curl \
&& addgroup --system --gid 1001 app_user \
&& adduser --system --uid 1001 app_user
RUN mkdir /app \
&& chown -R app_user:app_user /app
USER app_user
WORKDIR /app
COPY --chown=app_user:app_user package*.json yarn.lock ./
RUN yarn install --production=false --pure-lockfile --ignore-engines
FROM public.ecr.aws/docker/library/node:14-alpine AS builder
WORKDIR /app
COPY --chown=app_user:app_user components pages public queries styles lib @types ./
COPY --chown=app_user:app_user tsconfig.json constants.js next.config.js .babelrc ./
COPY --chown=app_user:app_user scripts/cache/ ./scripts/cache
COPY --chown=app_user:app_user --from=deps /usr/src/app/package.json ./
COPY --chown=app_user:app_user --from=deps /usr/src/app/node_modules ./node_modules
ENV CACHE_REFRESH_SECRET_TOKEN=$CACHE_REFRESH_SECRET_TOKEN
RUN CODEBUILD_BUILD_ID=$CODEBUILD_BUILD_ID DEBUG=graphql:errors,graphql:queries,cache:redis DEBUG_COLORS=true npm run build
EXPOSE 8080 6379
ENTRYPOINT [ "npm", "start"]
行COPY --chown=app_user:app_user package*.json yarn.lock./不會失敗,但是一旦到達行COPY --chown=app_user:app_user components pages public queries styles lib @types./就會出錯輸出以下消息:
unable to convert uid/gid chown string to host mapping: can't find uid for user app_user: no such user: app_user
我有點奇怪,因為我認為我正在遵循文檔和多個指南的指示。 應該糾正什么?
2 個解決方案
解決方案1
1 已采納 2023-01-08 12:24:31
沒有特別要求運行容器的(非 root)用戶是擁有文件的同一用戶。 讓 root 擁有源代碼而不是全局可寫的源代碼可能是一個小的安全改進,這將防止應用程序執行諸如覆蓋其自己的 static 圖像(有意或無意)之類的事情。
一種直接的方法是在 Dockerfile 中以 root 身份完成 package 的所有安裝和構建,並且僅在 Dockerfile 的最后切換到非 root 用戶。
FROM public.ecr.aws/docker/library/node:14-alpine AS deps
# Doing the `yarn install` step as root, so no need to create a user here
RUN apk add --no-cache libc6-compat curl
WORKDIR /app
COPY package*.json yarn.lock ./
RUN yarn install --production=false --pure-lockfile --ignore-engines
FROM public.ecr.aws/docker/library/node:14-alpine AS builder
# Create the non-root user, without a specific uid; do not switch yet
RUN adduser --system app_user
# Do the rest of the installation steps, still as root
WORKDIR /app
COPY components pages public queries styles lib @types ./
COPY tsconfig.json constants.js next.config.js .babelrc ./
COPY scripts/cache/ ./scripts/cache
COPY --from=deps /app/package.json /app/yarn.lock ./
COPY --from=deps app/node_modules ./node_modules
RUN yarn build
# As part of the runtime setup, switch to the non-root user now
EXPOSE 8080
USER app_user
CMD ["yarn", "start"]
解決方案2
0 2023-01-08 08:24:30
在 docker 構建的多階段中,您不能重復使用同一用戶,因此在每個FROM中您必須重新創建它。
我在第 17 到 23 行進行了更改
1 FROM public.ecr.aws/docker/library/node:14-alpine AS deps
2
3 RUN apk add --no-cache libc6-compat curl \
4 && addgroup --system --gid 1001 app_user \
5 && adduser --system --uid 1001 app_user
6
7 RUN mkdir /app \
8 && chown -R app_user:app_user /app
9 USER app_user
10 WORKDIR /app
11
12 COPY --chown=app_user:app_user package*.json yarn.lock ./
13 RUN yarn install --production=false --pure-lockfile --ignore-engines
14
15 FROM public.ecr.aws/docker/library/node:14-alpine AS builder
16
17 RUN apk add --no-cache libc6-compat curl \
18 && addgroup --system --gid 1001 app_user \
19 && adduser --system --uid 1001 app_user
20
21 RUN mkdir /app \
22 && chown -R app_user:app_user /app
23 USER app_user
24 WORKDIR /app
25
26 ARG NODE_ENV=production
27 ARG CODEBUILD_RESOLVED_SOURCE_VERSION
28 ARG CODEBUILD_BUILD_ID
29 ARG CODEBUILD_BUILD_NUMBER
30 ARG CODEBUILD_START_TIME
31 ARG ELASTIC_CACHE_NODE_ADDRESS
32 ARG CONTENTFUL_SPACE_ID
33 ARG CONTENTFUL_ENVIRONMENT_ID
34 ARG CONTENTFUL_DELIVERY_TOKEN
35 ARG CONTENTFUL_PREVIEW_TOKEN
36 ARG PREVIEW_MODE_SECRET_TOKEN
37 ARG BUILD_TRIGGER_SECRET_TOKEN
38 ARG CACHE_REFRESH_SECRET_TOKEN
39 ARG BUILD_RSS_SECRET_TOKEN
40
41 ARG NEXT_PUBLIC_ALGOLIA_APPLICATION_ID
42 ARG NEXT_PUBLIC_ALGOLIA_INDEX_NAME
43 ARG NEXT_PUBLIC_ALGOLIA_SEARCH_KEY
44 ARG ALGOLIA_INDEXING_SECRET_TOKEN
45
46 ARG CSP_REPORT_URI
47 ARG CSP_ENABLED
48
49 ARG POSTS_CSV_SECRET_TOKEN
50
51 ENV CODEBUILD_RESOLVED_SOURCE_VERSION=$CODEBUILD_RESOLVED_SOURCE_VERSION
52 ENV CODEBUILD_BUILD_ID=$CODEBUILD_BUILD_ID
53 ENV ELASTIC_CACHE_NODE_ADDRESS=$ELASTIC_CACHE_NODE_ADDRESS
54 ENV CONTENTFUL_SPACE_ID=$CONTENTFUL_SPACE_ID
55 ENV CONTENTFUL_ENVIRONMENT_ID=$CONTENTFUL_ENVIRONMENT_ID
56 ENV CONTENTFUL_DELIVERY_TOKEN=$CONTENTFUL_DELIVERY_TOKEN
57 ENV CONTENTFUL_PREVIEW_TOKEN=$CONTENTFUL_PREVIEW_TOKEN
58 ENV PREVIEW_MODE_SECRET_TOKEN=$PREVIEW_MODE_SECRET_TOKEN
59 ENV BUILD_TRIGGER_SECRET_TOKEN=$BUILD_TRIGGER_SECRET_TOKEN
60 ENV BUILD_RSS_SECRET_TOKEN=$BUILD_RSS_SECRET_TOKEN
61
62 ENV CSP_REPORT_URI=$CSP_REPORT_URI
63 ENV CSP_ENABLED=$CSP_ENABLED
64
65 ENV NEXT_PUBLIC_ALGOLIA_APPLICATION_ID=$NEXT_PUBLIC_ALGOLIA_APPLICATION_ID
66 ENV NEXT_PUBLIC_ALGOLIA_INDEX_NAME=$NEXT_PUBLIC_ALGOLIA_INDEX_NAME
67 ENV NEXT_PUBLIC_ALGOLIA_SEARCH_KEY=$NEXT_PUBLIC_ALGOLIA_SEARCH_KEY
68 ENV ALGOLIA_INDEXING_SECRET_TOKEN=$ALGOLIA_INDEXING_SECRET_TOKEN
69
70 ENV POSTS_CSV_SECRET_TOKEN=$POSTS_CSV_SECRET_TOKEN
71
72 ENV NEXT_PUBLIC_CODEBUILD_RESOLVED_SOURCE_VERSION=$CODEBUILD_RESOLVED_SOURCE_VERSION
73 ENV NEXT_PUBLIC_CODEBUILD_BUILD_ID=$CODEBUILD_BUILD_ID
74 ENV NEXT_PUBLIC_CTF_ENVIRONMENT_ID=$CONTENTFUL_ENVIRONMENT_ID
75 ENV NEXT_PUBLIC_CODEBUILD_BUILD_NUMBER=$CODEBUILD_BUILD_NUMBER
76 ENV NEXT_PUBLIC_CODEBUILD_START_TIME=$CODEBUILD_START_TIME
77
78 COPY --chown=app_user:app_user components pages public queries styles lib @types ./
79 COPY --chown=app_user:app_user tsconfig.json constants.js next.config.js .babelrc ./
80 COPY --chown=app_user:app_user scripts/cache/ ./scripts/cache
81
82 COPY --chown=app_user:app_user --from=deps /usr/src/app/package.json ./
83 COPY --chown=app_user:app_user --from=deps /usr/src/app/node_modules ./node_modules
84
85 ENV CACHE_REFRESH_SECRET_TOKEN=$CACHE_REFRESH_SECRET_TOKEN
86
87 RUN CODEBUILD_BUILD_ID=$CODEBUILD_BUILD_ID DEBUG=graphql:errors,graphql:queries,cache:redis DEBUG_COLORS=true npm run build
88
89 EXPOSE 8080 6379
90 ENTRYPOINT [ "npm", "start"]
對於在容器中運行的 Mosquitto 和 loading.key 文件,該文件應該具有哪些用戶/組/權限?
[英]What user/group/permissions should the file have, for Mosquitto running in container and loading .key file?
如何映射主機上已存在的Docker容器中定義的用戶權限
[英]How to map user permissions defined in a Docker container that already exist on the host
在Windows主機上的docker容器內的已安裝文件夾中更改文件權限
[英]Change file permissions in mounted folder inside docker container on Windows Host
我應該將“package-lock.json”復制到 Dockerfile 中的容器映像中嗎?
[英]Should I copy `package-lock.json` to the container image in Dockerfile?
如果我在 docker 容器中運行 redis,在 django 的主機中應該提到什么?
[英]What should be the mentioned in the host in django if I'm running redis in a docker container?
將主機目錄復制到DockerFile中的容器時出現ModuleNotFoundError
[英]ModuleNotFoundError When Copying a Host Directory to Container in DockerFile
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
用戶應該具有哪些權限來公開docker容器端口?
對於在容器中運行的 Mosquitto 和 loading.key 文件,該文件應該具有哪些用戶/組/權限?
我應該在Dockerfile中設置什么PYTHONPATH?
如何映射主機上已存在的Docker容器中定義的用戶權限
在Windows主機上的docker容器內的已安裝文件夾中更改文件權限
我應該將“package-lock.json”復制到 Dockerfile 中的容器映像中嗎?
如果我在 docker 容器中運行 redis,在 django 的主機中應該提到什么?
將主機目錄復制到DockerFile中的容器時出現ModuleNotFoundError
Docker(Dockerfile):從主機到容器共享目錄
將容器端口綁定到Dockerfile內的主機
相關標簽