从头开始的非特权执行

huangapple go评论92阅读模式
英文:

non-privileged execution FROM scratch

问题

我正在使用空白镜像构建/部署Go/Golang微服务。

在使用这种方式构建的镜像上指定非特权执行是否可行?因为镜像上只有两个文件——Go可执行文件和一个根证书文件——所以容器内没有特权的概念。

我还使用只读容器和--selinux-enabled=true --icc=false --iptables=true,但如果我知道可执行文件以一个“普通”的非特权用户身份运行,会更加安心。

英文:

I'm building/deploying go/golang micro-services on images FROM scratch.

Is it possible to specify non-privileged execution on an image built this way -- there are only two files on the image–the go executable and a root certificate file–so there doesn't seem to be any concept of privilege within the container.

I also use read-only containers and --selinux-enabled=true --icc=false --iptables=true, but would feel more warm and fuzzy if I knew that the executable was running as a "common" non-privileged user.

答案1

得分: 0

您似乎没有选择在从“FROM scratch”构建的镜像中运行的用户(root)内部运行CMD的权利。

但是根据容器的定义,该用户只能影响自己的(磁盘、内存、资源)空间,而不能影响主机。所以这应该没有关系。

唯一的其他选择是仅为声明一个卷容器而定义一个从头开始的容器,然后在一个能够以非root用户运行的完整镜像中使用该卷容器。
参见“在容器内部以非root用户身份运行

$ echo 'FROM scratch
ADD data.tar /
VOLUME ["/data"]' > Dockerfile

$ docker build -t minimal .
$ docker create --name minimal minimal :

挂载此最小卷容器的容器需要使用ID为1000的用户创建:

$ docker run --rm --volumes-from minimal  -it debian:jessie /bin/bash -c 'useradd postgres && ls -l /data';

这不是您所需要的(因为Go程序不需要任何动态库,可以仅依靠系统调用运行)。但这说明了非root用户如何使用“FROM scratch”容器(这里作为一个卷)。

英文:

You don't seem to have any choice in the user (root) running the CMD inside a container launched from an image built "FROM scratch".

But by definition of a container, that user can only influence its own (disk, memory, resources) space, not the host. So it should not matter.

The only other alternative would be to define a container from scratch only for declaring a volume container, that you would use in a full-fledged image able to run with a non-root user.
See "Running as a non-root inside a container"

$ echo 'FROM scratch
ADD data.tar /
VOLUME ["/data"]' > Dockerfile

$ docker build -t minimal .
$ docker create --name minimal minimal :

> The container that mounts this minimal volume container needs to create the user with id 1000:

$ docker run --rm --volumes-from minimal  -it debian:jessie /bin/bash -c 'useradd postgres && ls -l /data'

That is not what you need (since the Go program does not need any dynamic libraries, and can run solely on system calls). But that illustrates how a non-root user can use a "FROM scratch" container (here as a volume)

huangapple
  • 本文由 发表于 2017年2月15日 05:56:46
  • 转载请务必保留本文链接:https://go.coder-hub.com/42237002.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定