首页 > 其他分享 >docker with non root priviledge

docker with non root priviledge

时间:2023-07-09 21:34:54浏览次数:46  
标签:priviledge non user && docker root Docker USER

Running Docker Containers as Non-Root User

https://www.geeksforgeeks.org/running-docker-containers-as-non-root-user/

By default, Docker Containers run as Root Users. Now, if you are running applications inside Docker Containers, you have access to all the root privileges. This poses a great security threat when you deploy applications on large scale inside Docker Containers. Because if somehow your application gets hacked by external users, other applications running inside the Containers would also be a huge risk. Moreover, if your Docker Container is part of a network, then the whole network has the risk of getting hacked. To avoid this, you need to make sure that you run the Docker Containers as non-root users.

In this article, we will discuss two different ways using which you can create and add non-root users inside Docker Containers.

 

How to set non-root user

https://code.visualstudio.com/remote/advancedcontainers/add-nonroot-user

While any images or Dockerfiles that come from the Dev Containers extension will include a non-root user with a UID/GID of 1000 (typically either called vscode or node), many base images and Dockerfiles do not. Fortunately, you can update or create a Dockerfile that adds a non-root user into your container.

Running your application as a non-root user is recommended even in production (since it is more secure), so this is a good idea even if you're reusing an existing Dockerfile. For example, this snippet for a Debian/Ubuntu container will create a user called user-name-goes-here, give it the ability to use sudo, and set it as the default:

ARG USERNAME=user-name-goes-here
ARG USER_UID=1000
ARG USER_GID=$USER_UID

# Create the user
RUN groupadd --gid $USER_GID $USERNAME \
    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \
    #
    # [Optional] Add sudo support. Omit if you don't need to install software after connecting.
    && apt-get update \
    && apt-get install -y sudo \
    && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \
    && chmod 0440 /etc/sudoers.d/$USERNAME

# ********************************************************
# * Anything else you want to do like clean up goes here *
# ********************************************************

# [Optional] Set the default user. Omit if you want to keep the default as root.
USER $USERNAME

 

Using sudo Command Inside the Container

https://www.baeldung.com/ops/root-user-password-docker-container

Docker containers typically run with root as the default user. To share resources with different privileges, we may need to create additional users inside a Docker container.

Here we'll create a Dockerfile, and add a new user. Importantly, we'll also install the sudo package in the Docker container while building the image. When this user needs extra privileges, it can access them using the sudo command.

Let's check out the Dockerfile:

FROM ubuntu:16.04
RUN apt-get update && apt-get -y install sudo
RUN useradd -m john && echo "john:john" | chpasswd && adduser john sudo
USER john
CMD /bin/bash

 

标签:priviledge,non,user,&&,docker,root,Docker,USER
From: https://www.cnblogs.com/lightsong/p/17539450.html

相关文章

  • Docker系列---【Docker和宿主机如何传输文件?】
    Docker和宿主机如何传输文件?前提:Docker正在运行,即dockerps命令能看到。宿主机传输文件到dockerdockercp<宿主机文件路径><容器ID或名称>:<容器内目标路径>#例:复制宿主机文件data.txt到容器目录/app/dockercp/host/data.txtmy-container:/app/data.txtdocker传输文......
  • Docker学习路线1:介绍
    Docker是什么?Docker是一个开源平台,通过将应用程序隔离到轻量级、可移植的容器中,自动化应用程序的部署、扩展和管理。容器是独立的可执行单元,封装了运行应用程序所需的所有必要依赖项、库和配置文件,可以在各种环境中稳定地运行。什么是容器?容器是一种轻量级、可移植和隔离的软件......
  • Centos7中禁止root用户远程登录和修改登录端口
    Centos7中禁止root用户远程登录和修改登录端口介绍Linux中root用户权限比较大,被不法人员获知账户和密码后,用root登录后,可以对服务器做任何操作,对服务器危害较大,故需要禁止root用户登录,并且修改登录端口,这样就算root密码泄露,端口不是默认,也无法登录服务器禁止root用户1.修改......
  • docker 常用记录2023
    IDEA连接虚拟机(Ubuntu)的docker的最好办法(开放2375端口号).我这里用的Ubuntu,1、打开终端输入"sudovim/lib/systemd/system/docker.service"2.在sock后面,添加-Htcp://0.0.0.0:2375如上图所示.按下键盘Esc键输入wq保存退出.3.然后输入systemctldaemon-reload,重新加......
  • docker中测试Address Sanitizer
    原文地址:https://www.cnblogs.com/liqinglucky/p/address-sanitizer-in-docker.htmlDocker只是提供了一个运行环境,Docker里的程序集成AddressSanitizer与Linux环境编译相比并不需要做任何额外改动。源代码:liqinglucky/DockerHelloWorld-码云-开源中国(gitee.com)一、代码......
  • ubuntu18.04 搭建docker 环境
    1.安装docker环境1.1安装docker容器sudoaptinstalldocker.iosudosystemctlstatusdocke#获取docker状态sudosystemctlstartdocker#启动dockersudosystemctlstopdocker#停止docker1.2将添加docker用户组(重启生效)sudogroupadddockersudogpasswd......
  • centos8的root密码更改
    centos8的root密码更改此界面按e在linux行末尾加入参数rd.break按ctrl+s保存。ctrl+x启动输入mount-orw,remount/sysroot重新挂载sysroot并赋予rw权限输入chroot/sysroot把sysroot修改为/目录通过passwdroot或者echo1|passwd--stdinroottouch/.autorelabel重置SEli......
  • Docker容器 命令
     查看容器状态 正在运行的容器dockerps 查看所有容器dockerps-a 启动容器  1、直接运行,这种会铺满窗口,并且不能其它操作,按ctrl+c终止进程dockerruntomcat 2、后台运行  -p 后面两个8080,第一个8080为对外访问端口,第......
  • ubuntu 通过软链接的方式修改 Docker 镜像默认存储位置以防止空间占满
    和之前的修改conda存储位置一样,我们同样可以通过软链接的方式,修改存储位置。前文:https://www.cnblogs.com/odesey/p/17218519.htmlhttps://www.cnblogs.com/odesey/p/17512848.html默认情况下Docker容器的存放位置在/var/lib/docker目录下面,可以通过下面命令查看具体......
  • 从docker hub上拉取镜像nginx、tomcat实例
     可以从百度上搜索dockerhub,进入网站:https://hub-stage.docker.com/search?q=tomcat  查看不同镜像版本 查看镜像命令,以下两种均可dockerimagelsdockerimages拉取tomcat镜像,如不指定版本,默认拉取最近的 dockerpulltomcat拉取指定版本tomcat......