dsgdfg30210
dsgdfg30210
2014-10-25 10:48

如何以无人身份从零开始在docker中运行我的Go webapp?

已采纳

I don't want to run anything in a docker container as root. And I want minimalistic images.

I can run my compiled Go app in the scratch-image without a problem. But when I don't want it to run as root (i assume its running as root) and define USER nobody in the dockerfile I get

014/10/25 06:07:10 Error response from daemon: Cannot start container 
4822f34e54e20bb580f8cd1d38d7be3c828f28595c2bebad6d827a17b4c2fe21: 
finalize namespace setup user get supplementary groups Unable to find user nobody

here is my dockerfile

FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001

EDIT ------------

turns out that scratch is empty, very empty.

RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.

i ll use debian as i don't wont to run anything as root within a container because ...

Treat root within a container as if it is root outside of the container

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

4条回答

  • dongwen3437 dongwen3437 7年前

    turns out that scratch is empty, very empty.

    RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.

    i ll use debian as i don't wont to run anything as root within a container because ...

    Treat root within a container as if it is root outside of the container

    http://opensource.com/business/14/7/docker-security-selinux

    点赞 评论 复制链接分享
  • doutale7115 doutale7115 7年前

    You still have to add the user before you can use it with the USER command.

    FROM scratch
    ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
    ADD web /web
    RUN useradd nobody
    USER nobody
    CMD ["./lichtpunkt_go_linux_amd64"]
    EXPOSE 3001
    
    点赞 评论 复制链接分享
  • douzhuican0041 douzhuican0041 7年前

    Before the USER command, add this line: ADD passwd.minimal /etc/passwd

    With the following line in the file passwd.minimal: nobody:x:65534:65534:Nobody:/:

    点赞 评论 复制链接分享
  • dongmeng1868 dongmeng1868 3年前

    The solution is to use multi-stage build and copy /etc/passwd, as explained in this nice blog-post by Liz Rice.

    点赞 评论 复制链接分享