科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>docker - Trying to build a container that will run as a non-root - Stack Overflow

    docker - Trying to build a container that will run as a non-root - Stack Overflow

    programmeradmin2浏览0评论

    I'm trying to create an image (Ubuntu) that will build my code. I hope the container will run as a non-root (jenkins). The host and the container share the source directory. The container will read source code, and generate some artifacts as builds do. Here is (a readable version of) my docker file:

    FROM ubuntu:24.04
USER root

RUN apt-get update -y
RUN apt-get install sudo useradd adduser -y

RUN useradd -ms /bin/bash builder | chpasswd
RUN adduser builder sudo
RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

USER jenkins
RUN mkdir -p /home/builder/workspace
WORKDIR /home/builder/workspace

    I'm building the image with: docker build --tag build .

    The image contains a new user called builder, with uid 1001. On the host, the user id can be anything but 1001.

    $ docker run build id
uid=1001(builder) gid=1001(builder) groups=1001(builder),27(sudo)

$ id
uid=1000(myname) gid=1000(myname) groups=1000(myname),....,27(sudo),124(docker)

    I'm running this image sharing my source code directory)

    docker run -it -v /home/myname/workspace:/home/builder/workspace -w /home/builder/workspace build

    Finally, inside the container I'm hoping to do a build. I'm getting access denied:

    builder@95cfd88194e0:~/workspace$ touch x
touch: cannot touch 'x': Permission denied

    This is expected, because user builder is unknown at the host. I'm trying various things - all with no success.

    1. The amazing thing is that this is a regression. Had the first of the Docker file was FROM ubuntu:20.04, it is working without a problem. What happened between 20.04 and 24.04?
    2. I tried to create user builder on the host, and add this user to my group: adduser builder myname.
    3. I can get some write wroking , if the uid on the host matches the uid in the container. I do that with useradd -ms /bin/bash -uid 1200 | chpasswd on both the container and the host, and if the volume I'm sharing is on /home/builder on the host. This is very unconvinent, because I want to work on /home/myname

    UPDATE

    Following a comment from @DavidMaze (below), running the container with -u $(id u) does work with two problems:

    1. The user is not in the sudoer group in the container. I'm not sure whether this is a problem or not.
    2. If the id of the user on the host is unknown at the container (say 1005) then I've a weird prompt, and id returns root as the group:
    I have no name!@0123456789ab:/my/path$ 
I have no name!@0123456789ab:/my/path$ id
uid=1005 gid=0(root) groups=0(root)

    Giving a gid to the -u parameter of a group that doesn't exist on the container has also (other) error prompts.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论