Set docker image username at container creation time?

后端 未结 3 1020
情话喂你
情话喂你 2021-02-07 09:10

I have an OpenSuse 42.3 docker image that I\'ve configured to run a code. The image has a single user(other than root) called \"myuser\" that I create during the initial Image g

相关标签:
3条回答
  • 2021-02-07 09:52

    First of all (https://docs.docker.com/engine/reference/builder/#arg):

    Warning: It is not recommended to use build-time variables for passing secrets like github keys, user credentials etc. Build-time variable values are visible to any user of the image with the docker history command.

    But if you still need to do this, read https://docs.docker.com/engine/reference/builder/#arg:

    A Dockerfile may include one or more ARG instructions. For example, the following is a valid Dockerfile:

    FROM busybox
    ARG user1
    ARG buildno
    ...
    

    and https://docs.docker.com/engine/reference/builder/#user:

    The USER instruction sets the user name (or UID) and optionally the user group (or GID) to use when running the image and for any RUN, CMD and ENTRYPOINT instructions that follow it in the Dockerfile.

    USER <user>[:<group>] or
    USER <UID>[:<GID>]
    
    0 讨论(0)
  • 2021-02-07 10:02

    Usernames are not important. What is important are the uid and gid values.

    User myuser inside your container will have a uid of 1000 (first non-root user id). Thus when you start your container and look at the container process from the host machine, you will see that the container is owned by whatever user having a uid of 1000 on the host machine.

    You can override this by specifying the user once you run your container using:

    docker run --user 1001 ...
    

    Therefore if you want the user inside the container, to be able to access files on the host machine owned by a user having a uid of 1005 say, just run the container using --user 1005.

    To better understand how users map between the container and host take a look at this wonderful article. https://medium.com/@mccode/understanding-how-uid-and-gid-work-in-docker-containers-c37a01d01cf

    0 讨论(0)
  • 2021-02-07 10:07

    The below code has been checked into https://github.com/bmitch3020/run-as-user.

    I would handle this in an entrypoint.sh that checks the ownership of /home/myuser and updates the uid/gid of the user inside your container. It can look something like:

    #!/bin/sh
    
    set -x
    # get uid/gid
    USER_UID=`ls -nd /home/myuser | cut -f3 -d' '`
    USER_GID=`ls -nd /home/myuser | cut -f4 -d' '`
    
    # get the current uid/gid of myuser
    CUR_UID=`getent passwd myuser | cut -f3 -d: || true`
    CUR_GID=`getent group myuser | cut -f3 -d: || true`
    
    # if they don't match, adjust
    if [ ! -z "$USER_GID" -a "$USER_GID" != "$CUR_GID" ]; then
      groupmod -g ${USER_GID} myuser
    fi
    if [ ! -z "$USER_UID" -a "$USER_UID" != "$CUR_UID" ]; then
      usermod -u ${USER_UID} myuser
      # fix other permissions
      find / -uid ${CUR_UID} -mount -exec chown ${USER_UID}.${USER_GID} {} \;
    fi
    
    
    # drop access to myuser and run cmd
    exec gosu myuser "$@"
    

    And here's some lines from a relevant Dockerfile:

    FROM debian:9
    ARG GOSU_VERSION=1.10
    
    # run as root, let the entrypoint drop back to myuser
    USER root
    
    # install prereq debian packages
    RUN apt-get update \
     && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
         apt-transport-https \
         ca-certificates \
         curl \
         vim \
         wget \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
    
    # Install gosu
    RUN dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
     && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
     && chmod 755 /usr/local/bin/gosu \
     && gosu nobody true
    
    RUN useradd -d /home/myuser -m myuser
    WORKDIR /home/myuser
    
    # entrypoint is used to update uid/gid and then run the users command
    COPY entrypoint.sh /entrypoint.sh
    ENTRYPOINT ["/entrypoint.sh"]
    CMD /bin/sh
    

    Then to run it, you just need to mount /home/myuser as a volume and it will adjust permissions in the entrypoint. e.g.:

    $ docker build -t run-as-user . 
    $ docker run -it --rm -v $(pwd):/home/myuser run-as-user /bin/bash
    

    Inside that container you can run id and ls -l to see that you have access to /home/myuser files.

    0 讨论(0)
提交回复
热议问题