1. FROM node:16.17-alpine
2.
3. RUN addgroup app && adduser -S -G app app
4. USER app
5.
6. WORKDIR /app
7. COPY . .
然后我运行:docker build -t mytest .
[+] Building 3.3s (9/9) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 313B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 34B 0.0s
=> [internal] load metadata for docker.io/library/node:16.17-alpine 3.0s
=> [1/4] FROM docker.io/library/node:16.17-alpine@sha256:4d68856f48be7c73cd83ba8af3b6bae98f4679e14d1ff49e164625ae8831533a 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 40.15kB 0.0s
=> CACHED [2/4] RUN addgroup app && adduser -S -G app app 0.0s
=> CACHED [3/4] WORKDIR /app 0.0s
=> [4/4] COPY . . 0.0s
=> exporting to image 0.1s
=> => exporting layers 0.0s
=> => writing image sha256:aaeb83b6fde7be16f0c9a80d7f9a5af868a08ad603269051014716a32ca8f54c 0.0s
=> => naming to docker.io/library/mytest 0.0s
现在,当我在容器上运行它时:docker run -it mytest sh
并确认我是CCD_ 3(用户(。
/app $ whoami
app
运行ls -l
命令,在许可的情况下查看里面的内容
/app $ ls -l
total 52
-rwxr-xr-x 1 root root 274 Oct 11 06:22 Dockerfile
-rwxr-xr-x 1 root root 309 Oct 10 12:47 index.js
-rwxr-xr-x 1 root root 39685 Oct 11 06:37 package-lock.json
-rwxr-xr-x 1 root root 211 Oct 10 13:45 package.json
所有者是root,但在我的Dockerfile第3行。在运行复制命令之前,我创建了一个用户组和用户。我还在第4行将user设置为app
。但为什么复制内容的所有者是root而不是应用程序?
当我在那里创建一个新文件hello.ts
时,所有者现在是应用
/app $ touch hello.ts
/app $ ls -l
total 52
-rwxr-xr-x 1 root root 274 Oct 11 06:22 Dockerfile
-rw-r--r-- 1 app app 0 Oct 11 06:42 hello.ts
-rwxr-xr-x 1 root root 309 Oct 10 12:47 index.js
-rwxr-xr-x 1 root root 39685 Oct 11 06:37 package-lock.json
-rwxr-xr-x 1 root root 211 Oct 10 13:45 package.json
/app $
如何在构建中设置用户?
除非另有规定,否则当COPY指令以管理员身份运行时,您需要更改其所有者。
COPY --chown=app:app . .