Case của mình là như sau:
Đầu tiên mình có Dockerfile:
FROM ubuntu:18.04 CMD ["sleep", "100000"]
Mình sẽ thử build image
docker build -t docker.nimtechnology.com/nim/non-root:0.0.1 --force-rm -f Dockerfile .
Sau đó mình running trên k8s
OK giờ mình ko muốn nó run với user root thì làm sao:
https://code.visualstudio.com/remote/advancedcontainers/add-nonroot-user
Có 2 cách như link bên trên:
Creating a non-root user
ARG USERNAME=user-name-goes-here ARG USER_UID=1000 ARG USER_GID=$USER_UID # Create the user RUN groupadd --gid $USER_GID $USERNAME \ && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \ # # [Optional] Add sudo support. Omit if you don't need to install software after connecting. && apt-get update \ && apt-get install -y sudo \ && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \ && chmod 0440 /etc/sudoers.d/$USERNAME # ******************************************************** # * Anything else you want to do like clean up goes here * # ******************************************************** # [Optional] Set the default user. Omit if you want to keep the default as root. USER $USERNAME
Change the UID/GID of an existing container user
ARG USERNAME=user-name-goes-here ARG USER_UID=1000 ARG USER_GID=$USER_UID RUN groupmod --gid $USER_GID $USERNAME \ && usermod --uid $USER_UID --gid $USER_GID $USERNAME \ && chown -R $USER_UID:$USER_GID /home/$USERNAME
Note that on Alpine Linux, you’ll need to install the shadow
package first.
RUN apk add --no-cache shadow
Giờ Dockerfile của mình sẽ thay đổi như sau:
FROM ubuntu:18.04 ARG USERNAME=nimtechnology ARG USER_UID=1000 ARG USER_GID=$USER_UID # Create the user RUN groupadd --gid $USER_GID $USERNAME \ && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \ # # [Optional] Add sudo support. Omit if you don't need to install software after connecting. && apt-get update \ && apt-get install -y sudo \ && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \ && chmod 0440 /etc/sudoers.d/$USERNAME # ******************************************************** # * Anything else you want to do like clean up goes here * # ******************************************************** # [Optional] Set the default user. Omit if you want to keep the default as root. USER $USERNAME CMD ["sleep", "100000"]
OK đã chuẩn bị đầy đủ.
Giờ mình thực hiện tạo 1 secret trên k8s.
Với file yaml bên dưới:
zapiVersion: v1 data: key-secret: dmFsdWUtc2VjcmV0 kind: Secret metadata: labels: name: secret-non-root namespace: default type: Opaque
Giờ bạn thực hiện tạo ra 1 deployment và mount secret thành volume
apiVersion: apps/v1 kind: Deployment metadata: labels: workload.user.cattle.io/workloadselector: deployment-default-container-non-root name: container-non-root namespace: default spec: replicas: 1 selector: matchLabels: workload.user.cattle.io/workloadselector: deployment-default-container-non-root strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 0 type: RollingUpdate template: metadata: labels: workload.user.cattle.io/workloadselector: deployment-default-container-non-root spec: containers: - image: docker.nimtechnology.com/nim/non-root:0.0.5 name: container-non-root volumeMounts: - mountPath: /secert name: secret-volume volumes: - name: secret-volume secret: defaultMode: 420 secretName: secret-non-root
Bạn đoán là file secret được mount sẽ có permission thuộc user nào?
Nếu code của bạn muốn copy file key-secret thì sẽ không có quyền
OK! Giờ tìm hiểu thôi!
Để hiểu defaultMode: 420
thì đọc link dưới
https://support.huaweicloud.com/intl/en-us/cce_faq/cce_faq_00288.html
Ok giờ làm sao để mount file secret với user nimtechnology.
lại đọc bài dưới:
https://docs.portworx.com/portworx-install-with-kubernetes/storage-operations/create-pvcs/access-via-non-root-users/
Bạn thêm như anh bên dưới:
dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 1000 terminationGracePeriodSeconds: 30