mirror of
https://github.com/yeasy/docker_practice.git
synced 2026-03-12 12:51:08 +00:00
Fix and update
This commit is contained in:
baohua
@@ -2,6 +2,8 @@
|
||||
|
||||
### 基本语法
|
||||
|
||||
具体内容如下:
|
||||
|
||||
```docker
|
||||
USER <用户名>[:<用户组>]
|
||||
USER <UID>[:<GID>]
|
||||
@@ -37,28 +39,37 @@ root 用户运行的风险:
|
||||
|
||||
#### 创建并切换用户
|
||||
|
||||
具体内容如下:
|
||||
|
||||
```docker
|
||||
FROM node:20-alpine
|
||||
|
||||
## 1. 创建用户和组
|
||||
|
||||
RUN addgroup -g 1001 appgroup && \
|
||||
adduser -u 1001 -G appgroup -D appuser
|
||||
|
||||
## 2. 设置目录权限
|
||||
|
||||
WORKDIR /app
|
||||
COPY --chown=appuser:appgroup . .
|
||||
|
||||
## 3. 切换用户
|
||||
|
||||
USER appuser
|
||||
|
||||
## 4. 后续命令以 appuser 身份运行
|
||||
|
||||
CMD ["node", "server.js"]
|
||||
```
|
||||
|
||||
#### 使用 UID/GID
|
||||
|
||||
具体内容如下:
|
||||
|
||||
```docker
|
||||
## 也可以使用数字
|
||||
|
||||
USER 1001:1001
|
||||
```
|
||||
|
||||
@@ -70,10 +81,12 @@ USER 1001:1001
|
||||
|
||||
```docker
|
||||
## ❌ 错误:用户不存在
|
||||
|
||||
USER nonexistent
|
||||
## Error: unable to find user nonexistent
|
||||
|
||||
## ✅ 正确:先创建用户
|
||||
|
||||
RUN useradd -r -s /bin/false appuser
|
||||
USER appuser
|
||||
```
|
||||
@@ -114,9 +127,11 @@ RUN addgroup -g 1001 -S appgroup && \
|
||||
FROM debian:bookworm
|
||||
|
||||
## 创建用户
|
||||
|
||||
RUN groupadd -r redis && useradd -r -g redis redis
|
||||
|
||||
## 安装 gosu
|
||||
|
||||
RUN apt-get update && apt-get install -y gosu && rm -rf /var/lib/apt/lists/*
|
||||
|
||||
COPY docker-entrypoint.sh /usr/local/bin/
|
||||
@@ -131,9 +146,11 @@ CMD ["redis-server"]
|
||||
set -e
|
||||
|
||||
## 以 root 执行初始化
|
||||
|
||||
chown -R redis:redis /data
|
||||
|
||||
## 用 gosu 切换到 redis 用户运行服务
|
||||
|
||||
exec gosu redis "$@"
|
||||
```
|
||||
|
||||
@@ -154,9 +171,11 @@ exec gosu redis "$@"
|
||||
|
||||
```bash
|
||||
## 以指定用户运行
|
||||
|
||||
$ docker run -u 1001:1001 myimage
|
||||
|
||||
## 以 root 运行(调试时)
|
||||
|
||||
$ docker run -u root myimage
|
||||
```
|
||||
|
||||
@@ -170,15 +189,19 @@ $ docker run -u root myimage
|
||||
FROM node:20-alpine
|
||||
|
||||
## 创建用户
|
||||
|
||||
RUN adduser -D -u 1001 appuser
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
## 方式1:使用 --chown
|
||||
|
||||
COPY --chown=appuser:appuser . .
|
||||
|
||||
## 方式2:手动 chown(减少层数)
|
||||
|
||||
## COPY . .
|
||||
|
||||
## RUN chown -R appuser:appuser /app
|
||||
|
||||
USER appuser
|
||||
@@ -191,13 +214,17 @@ CMD ["node", "server.js"]
|
||||
|
||||
#### 1. 始终使用非 root 用户
|
||||
|
||||
具体内容如下:
|
||||
|
||||
```docker
|
||||
## ✅ 推荐
|
||||
|
||||
RUN adduser -D appuser
|
||||
USER appuser
|
||||
CMD ["myapp"]
|
||||
|
||||
## ❌ 避免
|
||||
|
||||
CMD ["myapp"] # 以 root 运行
|
||||
```
|
||||
|
||||
@@ -207,6 +234,7 @@ CMD ["myapp"] # 以 root 运行
|
||||
|
||||
```docker
|
||||
## 使用常见的非 root UID
|
||||
|
||||
RUN addgroup -g 1000 -S appgroup && \
|
||||
adduser -u 1000 -S -G appgroup appuser
|
||||
USER 1000:1000
|
||||
@@ -214,14 +242,18 @@ USER 1000:1000
|
||||
|
||||
#### 3. 多阶段构建中的 USER
|
||||
|
||||
具体内容如下:
|
||||
|
||||
```docker
|
||||
## 构建阶段可以用 root
|
||||
|
||||
FROM node:20 AS builder
|
||||
WORKDIR /app
|
||||
COPY . .
|
||||
RUN npm install && npm run build
|
||||
|
||||
## 生产阶段用非 root
|
||||
|
||||
FROM node:20-alpine
|
||||
RUN adduser -D appuser
|
||||
WORKDIR /app
|
||||
@@ -236,6 +268,8 @@ CMD ["node", "server.js"]
|
||||
|
||||
#### Q: 权限被拒绝
|
||||
|
||||
运行以下命令:
|
||||
|
||||
```bash
|
||||
permission denied: '/app/data.log'
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user