英文:
How do I run my Go application in the scratch container as the user "nobody?"
问题
我不想以root身份在Docker容器中运行任何东西。
而且我想要简约的镜像。
我可以在scratch镜像中运行我的编译后的Go应用程序,没有问题。
但是当我不想它以root身份运行(我假设它正在以root身份运行)
并在Dockerfile中定义USER nobody时,我会得到以下错误:
014/10/25 06:07:10 Error response from daemon: Cannot start container
4822f34e54e20bb580f8cd1d38d7be3c828f28595c2bebad6d827a17b4c2fe21:
finalize namespace setup user get supplementary groups Unable to find user nobody
这是我的Dockerfile:
FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001
编辑 ------------
事实证明scratch是空的,非常空。
RUN useradd会执行/bin/sh -c useradd
但是没有/bin/sh。
RUN ["useradd"]会直接执行。
但是没有useradd。
我必须添加rootfs.tar并从零开始构建。
我将使用Debian,因为我不想在容器内以root身份运行任何东西
因为...
英文:
I don't want to run anything in a docker container as root.
And I want minimalistic images.
I can run my compiled Go app in the scratch-image without a problem.
But when I don't want it to run as root (i assume its running as root)
and define USER nobody in the dockerfile I get
014/10/25 06:07:10 Error response from daemon: Cannot start container
4822f34e54e20bb580f8cd1d38d7be3c828f28595c2bebad6d827a17b4c2fe21:
finalize namespace setup user get supplementary groups Unable to find user nobody
here is my dockerfile
FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001
EDIT ------------
turns out that scratch is empty, very empty.
RUN useradd would execute /bin/sh -c useradd
but there is no /bin/sh .
RUN ["useradd"] would exec directly.
but there is no useradd.
i d have to add rootfs.tar and build stuff from zero.
i ll use debian as i don't wont to run anything as root within a container
because ...
> Treat root within a container as if it is root outside of the
> container
答案1
得分: 10
解决方案是使用多阶段构建,并按照Liz Rice在这篇很好的博客文章中的解释,复制/etc/passwd。
英文:
The solution is to use multi-stage build and copy /etc/passwd, as explained in this nice blog-post by Liz Rice.
答案2
得分: 5
创建一个文件,内容如下,并将其复制到scratch容器中的/etc/passwd位置。
nobody:*:65534:65534:nobody:/_nonexistent:/bin/false
你也可以将/bin/false复制过去;或者不复制,这样尝试以nobody身份登录将会失败。
su: failed to execute /bin/false: No such file or directory
英文:
Create a file with the following content and COPY it into the scratch container as /etc/passwd.
nobody:*:65534:65534:nobody:/_nonexistent:/bin/false
You can COPY /bin/false as well; or you don’t, in which case, attempts to log in as nobody will simply just fail.
su: failed to execute /bin/false: No such file or directory
答案3
得分: 2
在USER命令之前添加以下行:
ADD passwd.minimal /etc/passwd
在passwd.minimal文件中添加以下行:
nobody:x:65534:65534:Nobody:/:
英文:
Before the USER command, add this line:
ADD passwd.minimal /etc/passwd
With the following line in the file passwd.minimal:
nobody:x:65534:65534:Nobody:/:
答案4
得分: -1
原来Scratch是空的,非常空。
RUN useradd会执行/bin/sh -c useradd,但是没有/bin/sh。RUN ["useradd"]会直接执行,但是没有useradd。我需要添加rootfs.tar并从零开始构建。
我会使用Debian,因为我不想在容器内以root身份运行任何东西,因为...
将容器内的root视为容器外的root
http://opensource.com/business/14/7/docker-security-selinux
英文:
turns out that scratch is empty, very empty.
RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.
i ll use debian as i don't wont to run anything as root within a container because ...
> Treat root within a container as if it is root outside of the
> container
答案5
得分: -3
你在使用USER命令之前仍然需要添加用户。
FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
RUN useradd nobody
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001
英文:
You still have to add the user before you can use it with the USER command.
FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
RUN useradd nobody
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论