将用户添加到Docker容器

我有一个docker容器,里面运行着一些进程(uwsgi和celery).我想为这些进程创建一个芹菜用户和一个uwsgi用户以及他们都属于的工作组,以便分配权限.

我尝试添加RUN adduser uwsgi和RUN adduser celery我的Dockerfile,但这导致问题,因为这些命令提示输入(我已经发布了下面的构建响应).

将用户添加到Docker容器以便为容器中运行的工作程序设置权限的最佳方法是什么？

我的Docker镜像是从官方的Ubuntu14.04基础构建的.

以下是运行adduser命令时Dockerfile的输出:

Adding user `uwsgi' ...
Adding new group `uwsgi' (1000) ... 
Adding new user `uwsgi' (1000) with group `uwsgi' ... 
Creating home directory `/home/uwsgi' ...
Copying files from `/etc/skel' ... 
[91mEnter new UNIX password: Retype new UNIX password: [0m 
[91mpasswd: Authentication token manipulation error
passwd: password unchanged
[0m 
[91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 563.
[0m 
[91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 564.
[0m 
Try again? [y/N] 
Changing the user information for uwsgi
Enter the new value, or press ENTER for the default
    Full Name []: 
Room Number []:     Work Phone []:  Home Phone []:  Other []: 
[91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 589.
[0m 
[91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 590.
[0m 
Is the information correct? [Y/n] 
---> 258f2f2f13df 
Removing intermediate container 59948863162a 
Step 5 : RUN adduser celery 
---> Running in be06f1e20f64 
Adding user `celery' ...
Adding new group `celery' (1001) ... 
Adding new user `celery' (1001) with group `celery' ... 
Creating home directory `/home/celery' ...
Copying files from `/etc/skel' ... 
[91mEnter new UNIX password: Retype new UNIX password: [0m 
[91mpasswd: Authentication token manipulation error
passwd: password unchanged
[0m 
[91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 563.
[0m 
[91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 564.
[0m 
Try again? [y/N] 
Changing the user information for celery
Enter the new value, or press ENTER for the default
    Full Name []:   Room Number []:     Work Phone []: 
Home Phone []:  Other []: 
[91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 589.
[0m 
[91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 590.
[0m 
Is the information correct? [Y/n] 

小智.. 410

诀窍是使用useradd而不是它的交互式包装adduser.我通常创建用户:

RUN useradd -ms /bin/bash newuser

这为用户创建了一个主目录,并确保bash是默认的shell.

然后你可以添加:

USER newuser
WORKDIR /home/newuser

你的dockerfile.之后的每个命令以及交互式会话都将以用户身份执行newuser:

docker run -t -i image
newuser@131b7ad86360:~$

newuser在调用user命令之前,您可能必须授予执行要运行的程序的权限.

出于安全原因,在容器内使用非特权用户是个好主意.它也有一些缺点.最重要的是,从图像中获取图像的人必须切换回root才能执行具有超级用户权限的命令.

诀窍是使用useradd而不是它的交互式包装adduser.我通常创建用户:

RUN useradd -ms /bin/bash newuser

这为用户创建了一个主目录,并确保bash是默认的shell.

然后你可以添加:

USER newuser
WORKDIR /home/newuser

你的dockerfile.之后的每个命令以及交互式会话都将以用户身份执行newuser:

docker run -t -i image
newuser@131b7ad86360:~$

newuser在调用user命令之前,您可能必须授予执行要运行的程序的权限.

出于安全原因,在容器内使用非特权用户是个好主意.它也有一些缺点.最重要的是,从图像中获取图像的人必须切换回root才能执行具有超级用户权限的命令.

RUN adduser --disabled-password --gecos '' newuser

RUN adduser -D -g '' newuser

RUN useradd -rm -d /home/ubuntu -s /bin/bash -g root -G sudo -u 1000 ubuntu
USER ubuntu
WORKDIR /home/ubuntu

FROM node:10-alpine

# Copy source to container
RUN mkdir -p /usr/app/src

# Copy source code
COPY src /usr/app/src
COPY package.json /usr/app
COPY package-lock.json /usr/app

WORKDIR /usr/app

# Running npm install for production purpose will not run dev dependencies.
RUN npm install -Only=production    

# Create a user group 'xyzgroup'
RUN addgroup -S xyzgroup

# Create a user 'appuser' under 'xyzgroup'
RUN adduser -S -D -h /usr/app/src appuser xyzgroup

# Chown all the files to the app user.
RUN chown -R appuser:xyzgroup /usr/app

# Switch to 'appuser'
USER appuser

# Open the mapped port
EXPOSE 3000

# Start the process
CMD ["npm", "start"]