我有一个docker容器,里面运行着一些进程(uwsgi和celery)。我想为这些进程创建一个celery用户和一个uwsgi用户,以及一个它们都属于的worker组,以便分配权限。
我尝试将RUN adduser uwsgi
和RUN adduser celery
添加到我的Dockerfile文件中,但这会导致问题,因为这些命令会提示输入(我已经发布了下面构建的响应)。
将用户添加到Docker容器中,以便为容器中运行的worker设置权限的最佳方式是什么?
我的Docker镜像是从官方的Ubuntu14.04基础构建的。
以下是运行adduser命令时Dockerfile的输出:
Adding user `uwsgi' ...
Adding new group `uwsgi' (1000) ...
Adding new user `uwsgi' (1000) with group `uwsgi' ...
Creating home directory `/home/uwsgi' ...
Copying files from `/etc/skel' ...
[91mEnter new UNIX password: Retype new UNIX password: [0m
[91mpasswd: Authentication token manipulation error
passwd: password unchanged
[0m
[91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 563.
[0m
[91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 564.
[0m
Try again? [y/N]
Changing the user information for uwsgi
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []: Work Phone []: Home Phone []: Other []:
[91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 589.
[0m
[91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 590.
[0m
Is the information correct? [Y/n]
---> 258f2f2f13df
Removing intermediate container 59948863162a
Step 5 : RUN adduser celery
---> Running in be06f1e20f64
Adding user `celery' ...
Adding new group `celery' (1001) ...
Adding new user `celery' (1001) with group `celery' ...
Creating home directory `/home/celery' ...
Copying files from `/etc/skel' ...
[91mEnter new UNIX password: Retype new UNIX password: [0m
[91mpasswd: Authentication token manipulation error
passwd: password unchanged
[0m
[91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 563.
[0m
[91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 564.
[0m
Try again? [y/N]
Changing the user information for celery
Enter the new value, or press ENTER for the default
Full Name []: Room Number []: Work Phone []:
Home Phone []: Other []:
[91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 589.
[0m
[91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 590.
[0m
Is the information correct? [Y/n]
发布于 2014-12-30 18:05:10
诀窍是使用useradd
而不是它的交互式包装器adduser
。我通常使用以下命令创建用户:
RUN useradd -ms /bin/bash newuser
这将为用户创建一个主目录,并确保bash是默认的shell。
然后,您可以添加:
USER newuser
WORKDIR /home/newuser
添加到您的dockerfile。之后的每个命令以及交互会话都将以newuser
用户身份执行
docker run -t -i image
newuser@131b7ad86360:~$
在调用user命令之前,您可能必须授予newuser
执行要运行的程序的权限。
出于安全考虑,在容器中使用非特权用户是一个好主意。它也有一些缺点。最重要的是,从您的映像派生映像的用户必须切换回root用户,然后才能使用超级用户权限执行命令。
发布于 2015-04-22 20:15:24
为了避免adduser的互动问题,您可以使用以下参数进行调用:
RUN adduser --disabled-password --gecos '' newuser
--gecos
参数用于设置附加信息。在这种情况下,它只是空的。
在带有busybox的系统上(如Alpine),使用
RUN adduser -D -g '' newuser
发布于 2019-01-31 01:18:20
从安全的角度来看,在docker中添加用户并在该用户下运行您的应用程序是非常好的做法。要做到这一点,我推荐以下步骤:
FROM node:10-alpine
# Copy source to container
RUN mkdir -p /usr/app/src
# Copy source code
COPY src /usr/app/src
COPY package.json /usr/app
COPY package-lock.json /usr/app
WORKDIR /usr/app
# Running npm install for production purpose will not run dev dependencies.
RUN npm install -only=production
# Create a user group 'xyzgroup'
RUN addgroup -S xyzgroup
# Create a user 'appuser' under 'xyzgroup'
RUN adduser -S -D -h /usr/app/src appuser xyzgroup
# Chown all the files to the app user.
RUN chown -R appuser:xyzgroup /usr/app
# Switch to 'appuser'
USER appuser
# Open the mapped port
EXPOSE 3000
# Start the process
CMD ["npm", "start"]
以上步骤是复制NodeJS项目文件、创建用户组和用户、为用户分配项目文件夹的权限、切换到新创建的用户并在该用户下运行应用程序的完整示例。
https://stackoverflow.com/questions/27701930
复制相似问题