dsgdfg30210
dsgdfg30210
2014-10-25 10:48
浏览 22
已采纳

如何以无人身份从零开始在docker中运行我的Go webapp?

I don't want to run anything in a docker container as root. And I want minimalistic images.

I can run my compiled Go app in the scratch-image without a problem. But when I don't want it to run as root (i assume its running as root) and define USER nobody in the dockerfile I get

014/10/25 06:07:10 Error response from daemon: Cannot start container 
4822f34e54e20bb580f8cd1d38d7be3c828f28595c2bebad6d827a17b4c2fe21: 
finalize namespace setup user get supplementary groups Unable to find user nobody

here is my dockerfile

FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001

EDIT ------------

turns out that scratch is empty, very empty.

RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.

i ll use debian as i don't wont to run anything as root within a container because ...

Treat root within a container as if it is root outside of the container

图片转代码服务由CSDN问答提供 功能建议

我不想以root用户身份在docker容器中运行任何东西。 我希望使用简约的图像。

我可以在暂存映像中运行编译的Go应用程序而不会出现问题。 但是当我不希望它以root身份运行时(我假设其以root身份运行) 并定义USER 我得到的dockerfile中没有人 

  014/10/25 06:07:10来自守护程序的错误响应:无法启动容器
4822f34e54e20bb580f8cd1d38d7be3c828f28595c2bebad6d827a17b4c2fe21:
finalize名称空间设置用户无法获取补充组 查找用户无人
   
 
 
这是我的dockerfile  
 
 
  FROM scratch 
ADD lichtpunkt_go_linux_amd64 / lichtpunkt_go_linux_amd64 
ADD web / 网络
用户没人
CMD [“ ./lichtpunkt_go_linux_amd64"]
EXPOSE 3001 
   
 
 
编辑------------   
 
 
证明划痕是空的,非常空的。   
 
 
 RUN useradd将执行/ bin / sh -c useradd 
,但没有/ bin / sh。  
RUN [“ useradd”]将直接执行。  
但是没有useradd。  
i必须添加rootfs.tar并从零开始构建内容。   
 
 
我将使用debian,因为我不会在容器中以root身份运行任何东西
因为...  
 
 
 
 
  在容器内处理根目录,就像它在
容器外一样
  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

4条回答 默认 最新

  • dongwen3437
    dongwen3437 2014-10-26 17:47
    已采纳

    turns out that scratch is empty, very empty.

    RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.

    i ll use debian as i don't wont to run anything as root within a container because ...

    Treat root within a container as if it is root outside of the container

    http://opensource.com/business/14/7/docker-security-selinux

    点赞 评论
  • doutale7115
    doutale7115 2014-10-26 14:51

    You still have to add the user before you can use it with the USER command. 

    FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
RUN useradd nobody
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001
    点赞 评论
  • douzhuican0041
    douzhuican0041 2014-11-24 20:44

    Before the USER command, add this line: ADD passwd.minimal /etc/passwd

    With the following line in the file passwd.minimal: nobody:x:65534:65534:Nobody:/:

    点赞 评论
  • dongmeng1868
    dongmeng1868 2018-12-23 12:03

    The solution is to use multi-stage build and copy /etc/passwd, as explained in this nice blog-post by Liz Rice.

    点赞 评论
提交

相关推荐