如何在scratch容器中以用户”nobody”身份运行我的Go应用程序?

huangapple go评论100阅读模式
英文:

How do I run my Go application in the scratch container as the user "nobody?"

问题

我不想以root身份在Docker容器中运行任何东西。
而且我想要简约的镜像。

我可以在scratch镜像中运行我的编译后的Go应用程序,没有问题。
但是当我不想它以root身份运行(我假设它正在以root身份运行)
并在Dockerfile中定义USER nobody时,我会得到以下错误:

014/10/25 06:07:10 Error response from daemon: Cannot start container 
4822f34e54e20bb580f8cd1d38d7be3c828f28595c2bebad6d827a17b4c2fe21: 
finalize namespace setup user get supplementary groups Unable to find user nobody

这是我的Dockerfile:

FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001

编辑 ------------

事实证明scratch是空的,非常空。

RUN useradd会执行/bin/sh -c useradd
但是没有/bin/sh。
RUN ["useradd"]会直接执行。
但是没有useradd。
我必须添加rootfs.tar并从零开始构建。

我将使用Debian,因为我不想在容器内以root身份运行任何东西
因为...

将容器内的root视为容器外的root

英文:

I don't want to run anything in a docker container as root.
And I want minimalistic images.

I can run my compiled Go app in the scratch-image without a problem.
But when I don't want it to run as root (i assume its running as root)
and define USER nobody in the dockerfile I get

014/10/25 06:07:10 Error response from daemon: Cannot start container 
4822f34e54e20bb580f8cd1d38d7be3c828f28595c2bebad6d827a17b4c2fe21: 
finalize namespace setup user get supplementary groups Unable to find user nobody

here is my dockerfile

FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001

EDIT ------------

turns out that scratch is empty, very empty.

RUN useradd would execute /bin/sh -c useradd
but there is no /bin/sh .
RUN ["useradd"] would exec directly.
but there is no useradd.
i d have to add rootfs.tar and build stuff from zero.

i ll use debian as i don't wont to run anything as root within a container
because ...

> Treat root within a container as if it is root outside of the
> container

答案1

得分: 10

解决方案是使用多阶段构建,并按照Liz Rice在这篇很好的博客文章中的解释,复制/etc/passwd

英文:

The solution is to use multi-stage build and copy /etc/passwd, as explained in this nice blog-post by Liz Rice.

答案2

得分: 5

创建一个文件,内容如下,并将其复制到scratch容器中的/etc/passwd位置。

nobody:*:65534:65534:nobody:/_nonexistent:/bin/false

你也可以将/bin/false复制过去;或者不复制,这样尝试以nobody身份登录将会失败。

su: failed to execute /bin/false: No such file or directory
英文:

Create a file with the following content and COPY it into the scratch container as /etc/passwd.

nobody:*:65534:65534:nobody:/_nonexistent:/bin/false

You can COPY /bin/false as well; or you don’t, in which case, attempts to log in as nobody will simply just fail.

su: failed to execute /bin/false: No such file or directory

答案3

得分: 2

USER命令之前添加以下行:
ADD passwd.minimal /etc/passwd

在passwd.minimal文件中添加以下行:
nobody:x:65534:65534:Nobody:/:

英文:

Before the USER command, add this line:
ADD passwd.minimal /etc/passwd

With the following line in the file passwd.minimal:
nobody:x:65534:65534:Nobody:/:

答案4

得分: -1

原来Scratch是空的,非常空。

RUN useradd会执行/bin/sh -c useradd,但是没有/bin/sh。RUN ["useradd"]会直接执行,但是没有useradd。我需要添加rootfs.tar并从零开始构建。

我会使用Debian,因为我不想在容器内以root身份运行任何东西,因为...

将容器内的root视为容器外的root

http://opensource.com/business/14/7/docker-security-selinux

英文:

turns out that scratch is empty, very empty.

RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.

i ll use debian as i don't wont to run anything as root within a container because ...

> Treat root within a container as if it is root outside of the
> container

http://opensource.com/business/14/7/docker-security-selinux

答案5

得分: -3

你在使用USER命令之前仍然需要添加用户。

FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
RUN useradd nobody
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001
英文:

You still have to add the user before you can use it with the USER command.

FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
RUN useradd nobody
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001

huangapple
  • 本文由 发表于 2014年10月25日 18:48:25
  • 转载请务必保留本文链接:https://go.coder-hub.com/26561555.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定