我一直在尝试将 Dockerfile 中的所有用户设置为自定义用户,因为在我的 Django 应用程序中运行
collectstatic
时,我收到一条错误消息:
[Errno 13] Permission denied:
/code/static/admin/js/vendor/select2/i18n/pl.6031b4f16452.js.gz'
出于安全原因我也想这样做。
目前,当我跑步时
>docker-compose exec web ls -l /code/static
我得到:
total 16
drwxrwxrwx 1 root root 4096 Apr 5 05:42 admin
drwxrwxrwx 1 root root 4096 Sep 18 21:21 css
drwxrwxrwx 1 root root 4096 Sep 18 21:21 human
drwxrwxrwx 1 root root 4096 Sep 18 18:42 img
-rw-r--r-- 1 1234 1234 13091 Sep 18 21:21 staticfiles.json
drwxrwxrwx 1 root root 4096 Sep 18 21:21 transcribe
这是我的 Dockerfile:
# Pull base image
FROM python:3.11.4-slim-bullseye
# Set environment variables
ENV PIP_NO_CACHE_DIR off
ENV PIP_DISABLE_PIP_VERSION_CHECK 1
ENV PYTHONUNBUFFERED 1
ENV PYTHONDONTWRITEBYTECODE 1
ENV COLUMNS 80
#install Debian and other dependencies that are required to run python apps(eg. git, python-magic).
RUN apt-get update \
&& apt-get install -y --force-yes python3-pip ffmpeg git libmagic-dev libpq-dev gcc \
&& rm -rf /var/lib/apt/lists/*
# Set working directory for Docker image
WORKDIR /code/
# Install dependencies
COPY requirements.txt .
RUN pip install -r requirements.txt
# Copy project
COPY . .
# Create a custom non-root user
RUN useradd -m example-user
# Grant necessary permissions to write directories and to user 'celery-user'
RUN mkdir -p /code/media /code/static && \
chown -R example-user:uexample-user /code/media /code/static
# Switch to the non-root user. All this avoids running Celery with root/superuser priviledges which is a security risk
USER example-user
每当我根据 Docker 最佳实践示例重新排列 Dockerfile 并构建图像时,我都会获得成功的构建,但也会出现一些错误消息。
构建错误1:
=> CACHED [celery 5/8] WORKDIR /code/
=> CACHED [celery 6/8] COPY requirements.txt .
=> [celery 7/8] RUN pip install -r requirements.txt
=> => # WARNING: The script gunicorn is installed in '/home/example-user/.local/bin' which is not on PATH.
=> => # Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
=> => # WARNING: The script django-admin is installed in '/home/example-user/.local/bin' which is not on PATH.
=> => # Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
=> => # WARNING: The script celery is installed in '/home/example-user/.local/bin' which is not on PATH.
=> => # Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
构建错误2:
=> => transferring context: 49.55kB
=> CACHED [celery 2/8] RUN apt-get update && apt-get install -y --force-yes python3-pip ffmpeg git libmagic-dev libpq-dev gcc && r
=> CACHED [celery 3/8] RUN groupadd -g 1234 customgroupexample && useradd -m -u 1234 -g customgroupexample example-user
=> [celery 4/8] WORKDIR /code/
=> [celery 5/8] COPY requirements.txt .
=> [celery 6/8] RUN pip install -r requirements.txt
=> => # WARNING: The scripts cpack, ctest and cmake are installed in '/home/example-user/.local/bin' which is not on PATH.
=> => # Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
=> => # WARNING: The script normalizer is installed in '/home/example-user/.local/bin' which is not on PATH.
=> => # Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
=> => # WARNING: The script chardetect is installed in '/home/example-user/.local/bin' which is not on PATH.
=> => # Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
以用户为所有者的dockerfile中不存在/code目录目录,因此以root身份创建。解决方案是 chmod dockerfile 中的 /code 目录,删除卷,然后再次运行 compose up。更新的 Dockerfile:
# Pull base image
FROM python:3.11.4-slim-bullseye
# Set environment variables
ENV PIP_NO_CACHE_DIR off
ENV PIP_DISABLE_PIP_VERSION_CHECK 1
ENV PYTHONUNBUFFERED 1
ENV PYTHONDONTWRITEBYTECODE 1
ENV COLUMNS 80
#install Debian and other dependencies that are required to run python apps(eg. git, python-magic).
RUN apt-get update \
&& apt-get install -y --force-yes python3-pip ffmpeg git libmagic-dev libpq-dev gcc \
&& rm -rf /var/lib/apt/lists/*
# Set working directory for Docker image
WORKDIR /code/
# Create a non-root user
RUN useradd -m example-user
# Install dependencies
COPY requirements.txt .
RUN pip install -r requirements.txt
# Copy project
COPY . .
# Grant necessary permissions to write directories and to user 'example-user'
RUN mkdir -p /code/media /code/static \
&& chown -R example-user:example-user /code
# Switch to the non-root user. All this avoids running Celery with root/superuser priviledges which is a security risk
USER example-user
更新了 compose.yml:
#version: "3.9"
services:
web:
build: .
#command: python /code/manage.py runserver 0.0.0.0:8000
command: gunicorn mysite.wsgi -b 0.0.0.0:8000 --reload
volumes:
- code_data:/code
ports:
- 8000:8000
...
volumes:
postgres_data:
code_data: