dockerfile - Docker using gosu vs USER -
docker kind of had user
command run process specific user, in general lot of things had run root.
i have seen lot of images use entrypoint
gosu
de-elevate process run.
i'm still bit confused need gosu
. shouldn't user enough?
i know quite bit has changed in terms of security docker 1.10, i'm still not clear recommended way run process in docker container.
can explain when use gosu
vs. user
?
thanks
edit:
the docker best practice guide not clear: says if process can run without priviledges, use user
, if need sudo, might want use gosu
. confusing because 1 can install sorts of things root in dockerfile
, create user , give proper privileges, switch user , run cmd
user. why need sudo or gosu
then?
dockerfiles creating images. see gosu more useful part of container initialization when can no longer change users between run commands in dockerfile.
after image created, gosu allows drop root permissions @ end of entrypoint inside of container. may need root access initialization steps (fixing uid's, host mounted volume permissions, etc). once initialized, run final service without root privileges , pid 1 handle signals cleanly.
edit: here's simple example of using gosu in image docker , jenkins: https://github.com/bmitch3020/jenkins-docker
the entrypoint.sh looks gid of /var/lib/docker.sock file , updates gid of docker user inside container match. allows image ported other docker hosts gid on host may differ. changing group requires root access inside container. had used user jenkins
in dockerfile, stuck gid of docker group defined in image wouldn't work if doesn't match of docker host it's running on. root access can dropped when running app gosu comes in.
at end of script, exec call prevents shell forking gosu, , instead replaces pid 1 process. gosu in turn same, switching uid , exec'ing jenkins process takes on pid 1. allows signals handled correctly otherwise ignored shell pid 1.
Comments
Post a Comment