Use non-root users to execute script operations in docker containers

After the application is containerized, when the Docker container is started, the root user is used by default to execute commands. Therefore, the applications in the container are run by the root user by default, which poses a high security risk. So how can we use non-root business users to run applications?

Let me give you a simple example to illustrate this.

This example uses a self-created user in a container to run a simple shell script and persists the script output log outside the container. Next, let's take a look at the entire process from image creation to container operation.

1. Build the image:

I will use dockerfile to build the image. The base image is ubuntu 14.04 (you need to pull the image first, docker pullubuntu:14.04). The dockerfile content is as follows

[root@host09 test]# cat Dockerfile
FROMdocker.io/ubuntu:14.04 
MAINTAINER He Pengfei

RUN groupadd hpf -- create a user group RUN useradd -d /data -g hpf -mhpf -- create a user RUN su - hpf -c "mkdir -p /data/scripts" 
RUN su - hpf -c "mkdir -p /data/logs"
WORKDIR /data/scripts
COPY test.sh /data/scripts/
RUN chown hpf:hpf test.sh
RUN chmod 755 test.sh

ENTRYPOINT su - hpf -c "/data/scripts/test.sh" --Use the created user to run the script [root@host09 test]#

The script content is as follows:

[root@host09 test]# cattest.sh
while [ 1 = 1 ]
do
echo `id`>>/data/logs/hpf.log -- Output the log to the file and make it persistent when starting the container sleep 1
done
[root@host09 test]#

Next, let's build the image:

[root@host09 test]# dockerbuild -t hpf:v2 .
Sending build context to Docker daemon 3.072 kB
Step 1: FROM docker.io/ubuntu:14.04
 ---> c69811d4e993
Step 2: MAINTAINER hepengfei
 ---> Using cache
 ---> b8401d2eb439
Step 3: RUN groupadd hpf
 ---> Using cache
 ---> 2e0d20802c41
Step 4: RUN useradd -d /data -g hpf -m hpf
 ---> Using cache
 ---> bac36ee97aba
Step 5 : RUN su - hpf -c "mkdir -p /data/scripts"
 ---> Using cache
 ---> a92c3f5f8e34
Step 6 : RUN su - hpf -c "mkdir -p /data/logs"
 ---> Using cache
 ---> 2e8665da7092
Step 7: WORKDIR /data/scripts
 ---> Using cache
 ---> 7cf84a5a8aca
Step 8 : COPY test.sh /data/scripts/
 ---> 7e4c24de2096
Removing intermediate container f96358d91c35
Step 9 : RUN chown hpf:hpf test.sh
 ---> Running in fc9ab290c56c
 ---> f38afd1ea62c
Removing intermediate container fc9ab290c56c
Step 10 : RUN chmod 755 test.sh
 ---> Running in a35b507a1527
 ---> 5b5223249f4c
Removing intermediate container a35b507a1527
Step 11 : ENTRYPOINT su - hpf -c "/data/scripts/test.sh"
 ---> Running in 1ee7cc7fbec7
 ---> 26e7d603dbac
Removing intermediate container 1ee7cc7fbec7
Successfully built 26e7d603dbac
[root@host09 test]#

View the built image:

[root@host09 test]# docker images
REPOSITORY TAG IMAGEID CREATED SIZE
hpf v2 26e7d603dbac 42 minutes ago 188.3 MB
docker.io/ubuntu 14.04 c69811d4e993 3 weeks ago 188 MB
[root@host09 test]#

2. Start the container:

Note that before starting the container, you need to change the permissions of the /data/hepf/log directory on the host. Otherwise, when the container is started, the log in the script will not have permission to write to the directory. I directly changed the permissions of the directory to 777.

[root@host09 test]#chmod 777/data/hepf/log

[root@host09 test]# docker run -it -v/data/hepf/log:/data/logs hpf:v2

Now let's view the log files in the /data/hepf/log directory:

[root@host09 log]# pwd
/data/hepf/log
[root@host09 log]# ll
total 12
-rw-rw-r-- 1 1000 1000 10800Sep 7 08:02 hpf.log
[root@host09 log]# tail -2 hpf.log
uid=1000(hpf) gid=1000(hpf) groups=1000(hpf)
uid=1000(hpf) gid=1000(hpf) groups=1000(hpf)
[root@host09 log]#

It can be seen that the owner of the file is the same as the hpf user created in the container:

hpf@ba688af3f598:~$ id
uid=1000(hpf) gid=1000(hpf) groups=1000(hpf)
hpf@ba688af3f598:~$

If there is another user on the host with the same ID as the user created in the container, the owner of the log file on the host will become that user, but no problems have been found for the time being.

[root@host09 log]# cat /etc/passwd |grep hpf1
hpf1:x:1000:1000::/data1:/bin/bash[root@host09 log]# ll
total 12
-rw-rw-r-- 1 hpf1 hpf1 11250 Sep 7 08:50hpf.log
[root@host09 log]#

This is the end of the simple example.

Additional knowledge: Docker default storage and Docker non-root users

Method 1

sudo docker info | grep “Docker Root Dir”

First stop the Docker service:

systemctl restart docker

or

service docker stop

Then move the entire /var/lib/docker directory to the destination path:

mv /var/lib/docker /root/data/docker

ln -s /root/data/docker /var/lib/docker

Method 2

The Docker configuration file can set most of the background process parameters. The storage location in each operating system is different. The location in Ubuntu is: /etc/default/docker, and the location in CentOS is: /etc/sysconfig/docker.

If it is CentOS, add the following line:

OPTIONS=–graph=”/root/data/docker” –selinux-enabled -H fd://

If it is Ubuntu, add the following line (because Ubuntu does not enable selinux by default):

OPTIONS=–graph=”/root/data/docker” -H fd://

or

DOCKER_OPTS="-g /root/data/docker"

1. First, create a docker user group. If the docker user group exists, you can ignore it.

sudo groupadd docker

2. Add the user to the docker group

sudo gpasswd -a ${USER} docker

3. Restart Docker

sudo service docker restart

4. If a normal user executes the docker command and is prompted with "get ... dial unix /var/run/docker.sock" and the permissions are insufficient, modify the permissions of /var/run/docker.sock

Use the root user to execute the following command.

sudo chmod a+rw /var/run/docker.sock

The above article on using non-root users to execute script operations in docker containers is all the content that the editor shares with you. I hope it can give you a reference, and I also hope that you will support 123WORDPRESS.COM.