maven – 以非root用户身份运行docker或以root用户身份在tomcat上运行jenkins

我正在尝试使用docker-maven插件构建一个docker镜像,并计划使用jenkins执行mvn命令.我将jenkins.war部署在tomcat实例上而不是独立应用程序,该应用程序以非root用户身份运行.
问题是docker需要以root用户身份运行,因此maven命令需要以root用户身份运行,因此jenkins / tomcat需要以root用户身份运行,这不是一个好习惯(尽管我的非root用户是也是sudoer,所以我想不会太重要).

所以底线,我看到两个解决方案:将docker作为非root用户运行(并且需要有关如何执行此操作的帮助)
要么
需要以root身份运行jenkins(并且不确定如何实现这一点,因为我更改了环境变量/ config并且仍然没有切换到root).

有关选择哪种解决方案以及如何实施的建议?

最佳答案

The problem is that docker needs to be run as root user, so maven commands need to be run as root user,

不,可以使用-u (--user) parameter运行docker run,以便在容器内使用非root用户.

Either run docker as non-root user

Your user (on the host) needs to be part of the docker group.然后您可以与该用户一起运行docker服务.

评论说,这不是很安全.
看到:

>“chrisfosterelli/dockerrootplease
>“Understanding how uid and gid work in Docker containers

最后一个链接以下列结果结束:

  • If there’s a known uid that the process inside the container is executing as, it could be as simple as restricting access to the host system so that the uid from the container has limited access.
  • The better solution is to start containers with a known uid using the--user (you can use a username also, but remember that it’s just a friendlier way of providing a uid from the host’s username system), and then limiting access to the uid on the host that you’ve decided the container will run as.
  • Because of how uids and usernames (and gids and group names) map from a container to the host, specifying the user that a containerized process runs as can make the process appear to be owned by different users inside vs outside the container.

关于最后一点,你现在有user namespace (userns) remapping(因为docker 1.10,但我会建议17.06,因为issue 33844).

转载注明原文:maven – 以非root用户身份运行docker或以root用户身份在tomcat上运行jenkins - 代码日志