dsgdfg30210
dsgdfg30210
2014-10-25 10:48
浏览 22

如何以无人身份从零开始在docker中运行我的Go webapp?

I don't want to run anything in a docker container as root. And I want minimalistic images.

I can run my compiled Go app in the scratch-image without a problem. But when I don't want it to run as root (i assume its running as root) and define USER nobody in the dockerfile I get

014/10/25 06:07:10 Error response from daemon: Cannot start container 
4822f34e54e20bb580f8cd1d38d7be3c828f28595c2bebad6d827a17b4c2fe21: 
finalize namespace setup user get supplementary groups Unable to find user nobody

here is my dockerfile

FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001

EDIT ------------

turns out that scratch is empty, very empty.

RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.

i ll use debian as i don't wont to run anything as root within a container because ...

Treat root within a container as if it is root outside of the container

图片转代码服务由CSDN问答提供 功能建议

我不想以root用户身份在docker容器中运行任何东西。 我希望使用简约的图像。

我可以在暂存映像中运行编译的Go应用程序而不会出现问题。 但是当我不希望它以root身份运行时(我假设其以root身份运行) 并定义USER 我得到的dockerfile中没有人

  014/10/25 06:07:10来自守护程序的错误响应:无法启动容器
4822f34e54e20bb580f8cd1d38d7be3c828f28595c2bebad6d827a17b4c2fe21:
finalize名称空间设置用户无法获取补充组 查找用户无人
   
 
 

这是我的dockerfile

  FROM scratch 
ADD lichtpunkt_go_linux_amd64 / lichtpunkt_go_linux_amd64 
ADD web / 网络
用户没人
CMD [“ ./lichtpunkt_go_linux_amd64"]
EXPOSE 3001 
   
 
 

编辑------------

证明划痕是空的,非常空的。

RUN useradd将执行/ bin / sh -c useradd ,但没有/ bin / sh。 RUN [“ useradd”]将直接执行。 但是没有useradd。 i必须添加rootfs.tar并从零开始构建内容。

我将使用debian,因为我不会在容器中以root身份运行任何东西 因为...

在容器内处理根目录,就像它在 容器外一样

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

4条回答 默认 最新

  • dongwen3437
    dongwen3437 2014-10-26 17:47
    已采纳

    turns out that scratch is empty, very empty.

    RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.

    i ll use debian as i don't wont to run anything as root within a container because ...

    Treat root within a container as if it is root outside of the container

    http://opensource.com/business/14/7/docker-security-selinux

    点赞 评论
  • doutale7115
    doutale7115 2014-10-26 14:51

    You still have to add the user before you can use it with the USER command.

    FROM scratch
    ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
    ADD web /web
    RUN useradd nobody
    USER nobody
    CMD ["./lichtpunkt_go_linux_amd64"]
    EXPOSE 3001
    
    点赞 评论
  • douzhuican0041
    douzhuican0041 2014-11-24 20:44

    Before the USER command, add this line: ADD passwd.minimal /etc/passwd

    With the following line in the file passwd.minimal: nobody:x:65534:65534:Nobody:/:

    点赞 评论
  • dongmeng1868
    dongmeng1868 2018-12-23 12:03

    The solution is to use multi-stage build and copy /etc/passwd, as explained in this nice blog-post by Liz Rice.

    点赞 评论

相关推荐