前言 在 docker 中,預設是使用 root user, 但這樣非常不安全,所以通常會在 docker 中另外建立 user,可以透過 --build-args
傳入當前使用者的 User ID 和 Group ID,將新增的 user 的 User ID 和 Group ID 設為當前使用者,最後使用 USER new_user
切換為 non-root user 再執行所需指令。
Dockerfile example 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 ARG PYTHON_VERSIONFROM python:${PYTHON_VERSION}-slim-busterARG USER_IDARG GIDARG PROJECT_DIR=/home/docker/apiENV TZ=Asia/TaipeiENV PATH="/home/docker:/home/docker/.local/bin:${PATH}" RUN groupadd -g $GID docker-users && \ useradd -m --no-log-init -s /bin/bash -u $USER_ID -g $GID docker && \ echo "docker:docker" | chpasswd && \ adduser docker sudo RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone && \ apt-get update && \ apt-get install -y --no-install-recommends build-essential sudo curl locales tzdata && \ apt-get clean && \ apt-get autoremove ENV LC_ALL=C.UTF-8 ENV LANG=C.UTF-8 ENV LANGUAGE=C.UTF-8 WORKDIR $PROJECT_DIR COPY . . RUN pip install -r ./requirements.txt && \ mkdir -p ./logs && \ chown -R $USER_ID :$GID . USER dockerCMD ["uwsgi" , "--ini" , "/home/docker/api/config/uwsgi.ini" ]
Build image and run container Use docker
command Build image:
1 2 3 4 $ docker build -t <image_name>:<version> \ --build-arg USER_ID=$(id -u) \ --build-arg GID=$(id -g) \ --build-arg PYTHON_VERSION="3.8.7" .
Run container:
1 2 3 4 $ docker run -d \ [--name container_name] \ [-v host_path:container_path] \ <image_name>:<version>
ps. 須注意 volumes 的資料夾權限
User docker-compose
docker-compose.yml
example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 version: "3.7" services: api: restart: always image: api:${VERSION} container_name: api user: "${USER_ID}:${GID}" ports: - 9999 :9999 build: context: /home/user/workspace/api args: USER_ID: "${USER_ID}" GID: "${GID}" PYTHON_VERSION: "3.8.7" volumes: - /home/user/workspace/api/config:/home/docker/api/config - /home/user/logs/api:/home/docker/api/logs networks: - net networks: net: name: net driver: bridge
Build image and run container:
1 $ USER_ID=$(id -u) GID=$(id -g) VERSION="1.0.0" docker-compose up --build -d api
ps. 須注意 volumes 的資料夾權限
References