【Docker】Dockerfile 最佳實踐-USER
參考教程:https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
環境
- virtual box 6.1
- centos 7.8
- docker 19.03
USER
If a service can run without privileges, use USER
to change to a non-root user. Start by creating the user and group in the Dockerfile
with something like RUN groupadd -r postgres && useradd --no-log-init -r -g postgres postgres
如果服務可以在沒有特權的情況下執行,請使用 USER
更改為非 root 使用者。首先在 Dockerfile 中建立使用者和組,類似於 RUN groupadd -r postgres && useradd --no-log-init -r -g postgres postgres
。
Consider an explicit UID/GID
Users and groups in an image are assigned a non-deterministic UID/GID in that the “next” UID/GID is assigned regardless of image rebuilds. So, if it’s critical, you should assign an explicit UID/GID.
考慮一個明確的 UID/GID
為映象中的使用者和組分配了不確定的 UID/GID,因為無論映象重建如何,都將分配“下一個” UID/GID。因此,如果有必要,您應該分配一個明確的 UID/GID。
Due to an unresolved bug in the Go archive/tar package’s handling of sparse files, attempting to create a user with a significantly large UID inside a Docker container can lead to disk exhaustion because
/var/log/faillog
in the container layer is filled with NULL (\0) characters. A workaround is to pass the--no-log-init
flag to useradd. The Debian/Ubuntuadduser
wrapper does not support this flag.
由於 Go 軟體包處理稀疏檔案時出現未解決的錯誤,試圖在 Docker 中建立具有非常大的 UID 的使用者容器可能會導致磁碟耗盡,因為容器層中的
/var/log/faillog
用 NULL (\0) 字元填充。一種解決方法是將--no-log-init
標誌傳遞給useradd
。 Debian/Ubuntuadduser
包裝器不支援該標誌。
Avoid installing or using sudo
as it has unpredictable TTY and signal-forwarding behavior that can cause problems. If you absolutely need functionality similar to sudo
, such as initializing the daemon as root
but running it as non-root
, consider using “gosu”.
避免安裝或使用 sudo
,因為它具有不可預測的 TTY 和訊號轉發行為,可能會導致問題。如果您絕對需要類似於 sudo 的功能,例如將守護程序初始化為 root,但將其作為非 root 執行,請考慮使用 “gosu” 。
Lastly, to reduce layers and complexity, avoid switching USER
back and forth frequently.
最後,為了減少層次和複雜性,請避免頻繁地來回切換 USER
。
總結
介紹了 Dockerfile 的 USER 指令的最佳實踐。