, CTO ɗin mu, yana ƙauna, yana amfani da kuzari da haɓaka Docker. A cikin sabon labarin, ya bayyana yadda ake ƙirƙirar masu amfani a Docker. Daidaitaccen aiki tare da su, me yasa ba za a bar masu amfani da tushen haƙƙin da kuma yadda za a magance matsalar rashin daidaiton alamomi a cikin Dockerfile.
Duk hanyoyin da ke cikin akwati za su yi aiki azaman tushen mai amfani, sai dai idan kun ayyana ta ta wata hanya ta musamman. Wannan yana da kyau sosai, saboda wannan mai amfani ba shi da hani. Wannan shine dalilin da ya sa yin aiki azaman tushen kuskure ne daga mahangar tsaro. Idan babu wanda ke cikin hankalinsu yana aiki akan kwamfutar gida tare da haƙƙin tushen, to, yawancin tafiyar matakai a ƙarƙashin tushen a cikin kwantena.
Koyaushe akwai kurakurai waɗanda zasu ba da damar malware su tsere daga akwati kuma su shiga kwamfutar mai ɗaukar hoto. Idan muka yi la'akari da mafi munin, dole ne mu tabbatar da cewa matakai a cikin kwandon suna gudana ta mai amfani wanda ba shi da wani hakki akan na'ura mai masauki.
Ƙirƙirar mai amfani
Ƙirƙirar mai amfani a cikin akwati ba shi da bambanci da ƙirƙirar shi a cikin rarrabawar Linux. Koyaya, umarni na iya bambanta don hotunan tushe daban-daban.
Don rarrabawar tushen debian, kuna buƙatar ƙara masu zuwa zuwa Dockerfile:
RUN groupadd --gid 2000 node
&& useradd --uid 2000 --gid node --shell /bin/bash --create-home nodeDon alpine:
RUN addgroup -g 2000 node
&& adduser -u 2000 -G node -s /bin/sh -D node
Gudun tafiyar matakai daga mai amfani
Don gudanar da duk matakai masu zuwa azaman mai amfani tare da UID 2000, gudanar:
USER 2000Don gudanar da duk matakai masu zuwa azaman mai amfani da kumburi, gudanar:
USER nodeInarin cikin .
Ƙarar hawa
Lokacin hawa juzu'i a cikin akwati, samarwa mai amfani da ikon karantawa da/ko rubuta fayiloli. Don yin wannan, UID (GID) na mai amfani a cikin akwati da mai amfani da ke wajen kwandon wanda ke da izini masu dacewa don samun damar fayil ɗin dole ne su dace. A wannan yanayin, sunayen masu amfani ba su da mahimmanci.
Sau da yawa akan kwamfutar Linux, UID da GID na mai amfani suna daidai da 1000. Ana sanya waɗannan abubuwan ganowa ga mai amfani da kwamfutar na farko.
Gano abubuwan gano ku yana da sauƙi:
idZa ku sami cikakkun bayanai game da mai amfani da ku.
Sauya 2000 daga misalan tare da mai gano ku kuma komai zai yi kyau.
Sanya UID da GID ga mai amfani
Idan an ƙirƙiri mai amfani a baya, amma kuna buƙatar canza masu ganowa, kuna iya yin ta kamar haka:
RUN usermod -u 1000 node
&& groupmod -g 1000 node
Idan kuna amfani da hoton tushe mai tsayi, kuna buƙatar shigar da fakitin inuwa:
RUN apk add —no-cache shadowWucewa ID ɗin mai amfani a cikin akwati lokacin gina hoton
Idan ID ɗin ku da ID na duk mutanen da ke aiki akan aikin sun dace, to kawai saka wannan ID ɗin a cikin Dockerfile. Koyaya, sau da yawa ID ɗin mai amfani ba sa daidaitawa.
Yadda ake cimma abin da kuke so ba a bayyana nan take ba. A gare ni, wannan shine abu mafi wahala a cikin tsarin sarrafa Docker. Yawancin masu amfani da docker ba sa gane cewa akwai matakai daban-daban a rayuwar hoto. Da farko, an haɗa hoton ta amfani da Dockerfile. Lokacin gudanar da akwati daga hoto, ba a ƙara amfani da Dockerfile.
Dole ne ƙirƙirar mai amfani ya faru lokacin da aka gina hoton. Hakanan ya shafi ƙayyade mai amfani wanda aka ƙaddamar da matakai a ƙarƙashinsa. Wannan yana nufin cewa ko ta yaya dole ne mu wuce UID (GID) a cikin akwati.
Ana amfani da umarni don amfani da masu canjin waje a cikin Dockerfile и . Cikakken kwatancen umarni .
Dockerfile
ARG UID=1000
ARG GID=1000
ENV UID=${UID}
ENV GID=${GID}
RUN usermod -u $UID node
&& groupmod -g $GID node
Kuna iya ƙaddamar da muhawara ta hanyar docker-compose kamar haka:
Docker-rubuta
build:
context: ./src/backend
args:
UID: 1000
GID: 1000
PS Don ƙware duk ɓarna na Docker, bai isa ya karanta takaddun ko labarin ba. Kuna buƙatar yin aiki da yawa, kuna buƙatar samun jin daɗin Docker.
source: www.habr.com