我确实尝试了很多东西,但仍然不知道如何以普通用户身份写入 docker 容器内的 $HOME。
这是我的命令:
stulluk ~/docker-nonroot-test (main) $ docker system prune -a
WARNING! This will remove:
- all stopped containers
- all networks not used by at least one container
- all images without at least one container associated to them
- all build cache
Are you sure you want to continue? [y/N] y
Deleted Images:
untagged: ubuntu:18.04
untagged: ubuntu@sha256:152dc042452c496007f07ca9127571cb9c29697f42acbfad72324b2bb2e43c98
deleted: sha256:7b9813341b61d4d2475cb114919a096e51860d011d35920a1819fdd6d68c2815
deleted: sha256:9a9cbb35888dac6db6e8a5e28c57a3a7e66c40c9e35532b219452db22a8a1d6f
deleted: sha256:358db9589ef1488e86e368e3a63252ec73faf80d45e523f3c3e70ddca7462e7f
deleted: sha256:3f5a16f2d6ddbe73db188e82ea4f27b92eadd5b5d8ab6d16eb7f5aee77a59e6f
deleted: sha256:0e6f6686e47679f84b7b26673fce7ba90031fdd83974eba7d278723cf3c684da
deleted: sha256:f9a80a55f492e823bf5d51f1bd5f87ea3eed1cb31788686aa99a2fb61a27af6a
deleted: sha256:548a79621a426b4eb077c926eabac5a8620c454fb230640253e1b44dc7dd7562
Total reclaimed space: 63.55MB
stulluk ~/docker-nonroot-test (main) $ cat Dockerfile
FROM ubuntu:18.04
ARG UID
ARG GID
ARG USER
#We will build as our regular user, not as root
RUN addgroup --gid $GID $USER && adduser --uid $UID --gid $GID --disabled-password --gecos '' $USER && chown $USER:$USER /home/stulluk && ls -la /home && echo "$USER ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && ls -laR /home
RUN ls -laR /home
#WORKDIR /build
stulluk ~/docker-nonroot-test (main) $ cat dockerbuild.sh
#!/usr/bin/env bash
docker build --build-arg UID=$(id -u) --build-arg GID=$(id -g) --build-arg USER=$USER -t nonroot-docker .
stulluk ~/docker-nonroot-test (main) $ ./dockerbuild.sh
Sending build context to Docker daemon 105.5kB
Step 1/6 : FROM ubuntu:18.04
18.04: Pulling from library/ubuntu
7c457f213c76: Pull complete
Digest: sha256:152dc042452c496007f07ca9127571cb9c29697f42acbfad72324b2bb2e43c98
Status: Downloaded newer image for ubuntu:18.04
---> f9a80a55f492
Step 2/6 : ARG UID
---> Running in f7aa375c5e1e
Removing intermediate container f7aa375c5e1e
---> f9beb06727b4
Step 3/6 : ARG GID
---> Running in 711008a24dd8
Removing intermediate container 711008a24dd8
---> 214d88eb670f
Step 4/6 : ARG USER
---> Running in 9f2d13d66051
Removing intermediate container 9f2d13d66051
---> ccecf6354f23
Step 5/6 : RUN addgroup --gid $GID $USER && adduser --uid $UID --gid $GID --disabled-password --gecos '' $USER && chown $USER:$USER /home/stulluk && ls -la /home && echo "$USER ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && ls -laR /home
---> Running in 45ab17bbd184
Adding group `stulluk' (GID 1000) ...
Done.
Adding user `stulluk' ...
Adding new user `stulluk' (1000) with group `stulluk' ...
Creating home directory `/home/stulluk' ...
Copying files from `/etc/skel' ...
total 12
drwxr-xr-x 1 root root 4096 Aug 19 22:06 .
drwxr-xr-x 1 root root 4096 Aug 19 22:06 ..
drwxr-xr-x 2 stulluk stulluk 4096 Aug 19 22:06 stulluk
/home:
total 12
drwxr-xr-x 1 root root 4096 Aug 19 22:06 .
drwxr-xr-x 1 root root 4096 Aug 19 22:06 ..
drwxr-xr-x 2 stulluk stulluk 4096 Aug 19 22:06 stulluk
/home/stulluk:
total 20
drwxr-xr-x 2 stulluk stulluk 4096 Aug 19 22:06 .
drwxr-xr-x 1 root root 4096 Aug 19 22:06 ..
-rw-r--r-- 1 stulluk stulluk 220 Aug 19 22:06 .bash_logout
-rw-r--r-- 1 stulluk stulluk 3771 Aug 19 22:06 .bashrc
-rw-r--r-- 1 stulluk stulluk 807 Aug 19 22:06 .profile
Removing intermediate container 45ab17bbd184
---> 289168fa7f92
Step 6/6 : RUN ls -laR /home
---> Running in 07ff3c7cc6ab
/home:
total 12
drwxr-xr-x 1 root root 4096 Aug 19 22:06 .
drwxr-xr-x 1 root root 4096 Aug 19 22:06 ..
drwxr-xr-x 2 root root 4096 Aug 19 22:06 stulluk
/home/stulluk:
total 20
drwxr-xr-x 2 root root 4096 Aug 19 22:06 .
drwxr-xr-x 1 root root 4096 Aug 19 22:06 ..
-rw-r--r-- 1 root root 220 Aug 19 22:06 .bash_logout
-rw-r--r-- 1 root root 3771 Aug 19 22:06 .bashrc
-rw-r--r-- 1 root root 807 Aug 19 22:06 .profile
Removing intermediate container 07ff3c7cc6ab
---> 6f0a37b5315d
Successfully built 6f0a37b5315d
Successfully tagged nonroot-docker:latest
stulluk ~/docker-nonroot-test (main) $ cat entercontainer.sh
#/usr/bin/env bash
# run as current user
docker run --rm -it -v ${TOPDIR}:${TOPDIR}\
--user $(id -u):$(id -g) \
--volume="/etc/group:/etc/group:ro" \
--volume="/etc/passwd:/etc/passwd:ro" \
--volume="/etc/shadow:/etc/shadow:ro" \
--volume="/home/stulluk/.ssh:/home/stulluk/.ssh:ro" \
nonroot-docker:latest \
/bin/bash
stulluk ~/docker-nonroot-test (main) $ ./entercontainer.sh
stulluk@c8c0fa1e42bd:/$ pwd
/
stulluk@c8c0fa1e42bd:/$ cd ~
stulluk@c8c0fa1e42bd:~$ ls -la ../
total 16
drwxr-xr-x 1 root root 4096 Aug 19 22:06 .
drwxr-xr-x 1 root root 4096 Aug 19 22:06 ..
drwxr-xr-x 1 root root 4096 Aug 19 22:06 stulluk
stulluk@c8c0fa1e42bd:~$
stulluk@c8c0fa1e42bd:~$ touch file
touch: cannot touch 'file': Permission denied
stulluk@c8c0fa1e42bd:~$
stulluk@c8c0fa1e42bd:~$
stulluk@c8c0fa1e42bd:~$ exit
exit
stulluk ~/docker-nonroot-test (main) $ id
uid=1000(stulluk) gid=1000(stulluk) groups=1000(stulluk),4(adm),5(tty),20(dialout),24(cdrom),27(sudo),30(dip),44(video),46(plugdev),122(lpadmin),134(lxd),135(sambashare),137(docker),143(vboxusers)
stulluk ~/docker-nonroot-test (main) $
stulluk ~/docker-nonroot-test (main) $ docker --version
Docker version 20.10.25, build 20.10.25-0ubuntu1~22.04.1
stulluk ~/docker-nonroot-test (main) $
为什么这不起作用以及如何让它起作用?
注意:我不想将主机的 $HOME 目录绑定到容器。这是不可接受的解决方案,因为我不想写信给我的主机。
按照@philippe的建议(非常感谢!),这个问题是我的发行版(ubuntu 22.04 LTS)附带的docker.io版本中的一个错误,它是:
stulluk ~/docker-nonroot-test (main) $ docker --version
Docker version 20.10.25, build 20.10.25-0ubuntu1~22.04.1
我决定按照此处的建议尝试 docker-ce:https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-22-04
然后,我的 $HOME 就完全可写了:
stulluk ~ $ uname -a
Linux u22 6.2.14-060214-generic #202305010032 SMP PREEMPT_DYNAMIC Mon May 1 01:32:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
stulluk ~ $ cd docker-nonroot-test/
stulluk ~/docker-nonroot-test (main) $ docker system prune -a
WARNING! This will remove:
- all stopped containers
- all networks not used by at least one container
- all images without at least one container associated to them
- all build cache
Are you sure you want to continue? [y/N] y
Deleted Images:
untagged: nonroot-docker:latest
deleted: sha256:7063344d638669d45e39318f4e4772f9f1f263e85075850c90a4917efa45ac25
Deleted build cache objects:
nuzsp9hhgd2eqgk5eta3ynrh5
8oalmweynxb5cjkrvuk93s4l6
c3esegyfdhi7ko621sqe4vgj9
swm9rskhc5fly9sbbiwhsrex3
o56163axrm6igux12k6clpkvh
Total reclaimed space: 398.3kB
stulluk ~/docker-nonroot-test (main) $ cat Dockerfile
FROM ubuntu:18.04
ARG UID
ARG GID
ARG USER
#We will build as our regular user, not as root
RUN addgroup --gid $GID $USER && adduser --uid $UID --gid $GID --disabled-password --gecos '' $USER && chown $USER:$USER /home/stulluk && ls -la /home && echo "$USER ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && ls -laR /home
RUN ls -laR /home
#WORKDIR /build
stulluk ~/docker-nonroot-test (main) $ cat dockerbuild.sh
#!/usr/bin/env bash
docker build --build-arg UID=$(id -u) --build-arg GID=$(id -g) --build-arg USER=$USER -t nonroot-docker .
stulluk ~/docker-nonroot-test (main) $ cat entercontainer.sh
#/usr/bin/env bash
# run as current user
docker run --rm -it -v ${TOPDIR}:${TOPDIR}\
--user $(id -u):$(id -g) \
--volume="/etc/group:/etc/group:ro" \
--volume="/etc/passwd:/etc/passwd:ro" \
--volume="/etc/shadow:/etc/shadow:ro" \
--volume="/home/stulluk/.ssh:/home/stulluk/.ssh:ro" \
nonroot-docker:latest \
/bin/bash
stulluk ~/docker-nonroot-test (main) $ ./dockerbuild.sh
[+] Building 6.4s (8/8) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 393B 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/ubuntu:18.04 2.2s
=> [auth] library/ubuntu:pull token for registry-1.docker.io 0.0s
=> [1/3] FROM docker.io/library/ubuntu:18.04@sha256:152dc042452c496007f07ca9127571cb9c29697f42acbfad72324b2bb2e43c98 2.9s
=> => resolve docker.io/library/ubuntu:18.04@sha256:152dc042452c496007f07ca9127571cb9c29697f42acbfad72324b2bb2e43c98 0.0s
=> => sha256:152dc042452c496007f07ca9127571cb9c29697f42acbfad72324b2bb2e43c98 1.33kB / 1.33kB 0.0s
=> => sha256:dca176c9663a7ba4c1f0e710986f5a25e672842963d95b960191e2d9f7185ebe 424B / 424B 0.0s
=> => sha256:f9a80a55f492e823bf5d51f1bd5f87ea3eed1cb31788686aa99a2fb61a27af6a 2.30kB / 2.30kB 0.0s
=> => sha256:7c457f213c7634afb95a0fb2410a74b7b5bc0ba527033362c240c7a11bef4331 25.69MB / 25.69MB 2.3s
=> => extracting sha256:7c457f213c7634afb95a0fb2410a74b7b5bc0ba527033362c240c7a11bef4331 0.4s
=> [2/3] RUN addgroup --gid 1000 stulluk && adduser --uid 1000 --gid 1000 --disabled-password --gecos '' stulluk && chown stulluk:stulluk /home/stulluk && ls -la /home && echo "stulluk ALL=(ALL) NOPASSWD 0.5s
=> [3/3] RUN ls -laR /home 0.4s
=> exporting to image 0.1s
=> => exporting layers 0.1s
=> => writing image sha256:cf19a12061940f6e6f38dbc804f90d5634323600f8374c4e8f00b80c24924cfe 0.0s
=> => naming to docker.io/library/nonroot-docker 0.0s
stulluk ~/docker-nonroot-test (main) $ ./entercontainer.sh
stulluk@99c477bbf0ba:/$ cd ~
stulluk@99c477bbf0ba:~$ ll
total 28
drwxr-xr-x 1 stulluk stulluk 4096 Aug 20 21:59 ./
drwxr-xr-x 1 root root 4096 Aug 20 21:58 ../
-rw-r--r-- 1 stulluk stulluk 220 Aug 20 21:58 .bash_logout
-rw-r--r-- 1 stulluk stulluk 3771 Aug 20 21:58 .bashrc
-rw-r--r-- 1 stulluk stulluk 807 Aug 20 21:58 .profile
drwx------ 2 stulluk stulluk 4096 Aug 18 10:46 .ssh/
stulluk@99c477bbf0ba:~$ touch file
stulluk@99c477bbf0ba:~$ exit
exit
stulluk ~/docker-nonroot-test (main) $ docker version
Client: Docker Engine - Community
Version: 24.0.5
API version: 1.43
Go version: go1.20.6
Git commit: ced0996
Built: Fri Jul 21 20:35:18 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.5
API version: 1.43 (minimum version 1.12)
Go version: go1.20.6
Git commit: a61e2b4
Built: Fri Jul 21 20:35:18 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.22
GitCommit: 8165feabfdfe38c65b599c4993d227328c231fca
runc:
Version: 1.1.8
GitCommit: v1.1.8-0-g82f18fe
docker-init:
Version: 0.19.0
GitCommit: de40ad0
stulluk ~/docker-nonroot-test (main) $
我用不同的内核尝试过,这似乎与主机内核无关。