在docker容器中使用非root用户运行进程

Question

我正在构建run.sh应作为非rootuser

运行的redis sentinal映像

run.sh

  while true; do
    master=$(redis-cli -h ${REDIS_SENTINEL_SERVICE_HOST} -p ${REDIS_SENTINEL_SERVICE_PORT} --csv SENTINEL get-master-addr-by-name mymaster | tr ',' ' ' | cut -d' ' -f1)
    if [[ -n ${master} ]]; then
      master="${master//\"}"
    else
      master=$(hostname -i)
    fi

    redis-cli -h ${master} INFO
    if [[ "$?" == "0" ]]; then
      break
    fi
    echo "Connecting to master failed.  Waiting..."
    sleep 10
  done

  sentinel_conf=/home/ubuntu/sentinel.conf

  echo "sentinel monitor mymaster ${master} 6379 2" > ${sentinel_conf}
  echo "sentinel down-after-milliseconds mymaster 60000" >> ${sentinel_conf}
  echo "sentinel failover-timeout mymaster 180000" >> ${sentinel_conf}
  echo "sentinel parallel-syncs mymaster 1" >> ${sentinel_conf}
  echo "bind 0.0.0.0" >> ${sentinel_conf}

  redis-sentinel ${sentinel_conf} --protected-mode no
}

function launchslave() {
  while true; do
    master=$(redis-cli -h ${REDIS_SENTINEL_SERVICE_HOST} -p ${REDIS_SENTINEL_SERVICE_PORT} --csv SENTINEL get-master-addr-by-name mymaster | tr ',' ' ' | cut -d' ' -f1)
    if [[ -n ${master} ]]; then
      master="${master//\"}"
    else
      echo "Failed to find master."
      sleep 60
      exit 1
    fi
    redis-cli -h ${master} INFO
    if [[ "$?" == "0" ]]; then
      break
    fi
    echo "Connecting to master failed.  Waiting..."
    sleep 10
  done
  sed -i "s/%master-ip%/${master}/" /redis-slave/redis.conf
  sed -i "s/%master-port%/6379/" /redis-slave/redis.conf
  redis-server /redis-slave/redis.conf --protected-mode no

Dockerfile

FROM alpine:3.4

RUN apk add --no-cache redis sed bash busybox-suid
#su: must be suid to work properly
COPY redis-master.conf /redis-master/redis.conf
COPY redis-slave.conf /redis-slave/redis.conf
RUN adduser -D ubuntu
USER ubuntu
COPY run.sh /home/ubuntu/run.sh
CMD [ "sh", "/home/ubuntu/run.sh" ]
ENTRYPOINT [ "bash", "-c" ]

我部署在Openshift。容器不断重启，我也没有看到任何日志。我之前看到过一些日志，当时“run.sh”是root（默认），即adduser中未提及任何Dockerfile。

Answer 1

根据docker documentation：

Both CMD and ENTRYPOINT instructions define what command gets executed when running a container.
There are few rules that describe their co-operation:
1. Dockerfile should specify at least one of CMD or ENTRYPOINT commands.
2. CMD will be overridden when running the container with alternative arguments.

CMD和ENTRYPOINT图层在上述Dockerfile中完全不同，因此ENTRYPOINT会覆盖CMD图层，这就是{{1}的原因永远不会执行图层。

只需从CMD删除ENTRYPOINT图层，此处不需要：

Dockerfile

<强>更新

我看到FROM alpine:3.4 RUN apk add --no-cache redis sed bash busybox-suid #su: must be suid to work properly COPY redis-master.conf /redis-master/redis.conf COPY redis-slave.conf /redis-slave/redis.conf RUN adduser -D ubuntu USER ubuntu COPY run.sh /home/ubuntu/run.sh CMD [ "sh", "/home/ubuntu/run.sh" ] 脚本中使用了[[ ]]。此构造适用于run.sh，而不是bash。这就是sh应该如下的原因：

Dockerfile