为什么fixuid拒绝更改UID

为什么fixuid拒绝更改UID

关注
发信
关注(28)粉丝(399)

为什么fixuid拒绝更改UID / GID?

本文介绍了为什么fixuid拒绝更改UID / GID?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我的情况类似于在得到回答的问题。

I have a situation similar to the question that got answered here.

在答案中,建议在docker映像中使用fixuid,以便(我引用)

In the answer, it is proposed to use fixuid in the docker image so as to (and I cite)

项目和安装说明位于:

The project and install instructions are at:https://github.com/boxboat/fixuid

示例:


  • 使用用户/组dockeruser:dockergroup作为UID / GID 1000:1000构建Docker容器。

  • 主机以UID / GID 1001:1002的方式运行。

  • 图像以docker run -u 1001:1002运行。 fixuid将:

  • 将dockeruser UID更改为1001

  • 将dockergroup GID更改为1002

  • 更改所有文件权限对于旧的dockeruser:dockergroup到1001:1002

  • 将容器内的$ HOME更新为dockeruser $ HOME

  • 现在容器与主机UID / GID匹配和文件

  • Docker container was built using user/group dockeruser:dockergroup as UID/GID 1000:1000.
  • Host is running as UID/GID 1001:1002.
  • Image is run with docker run -u 1001:1002. fixuid will:
  • change dockeruser UID to 1001
  • change dockergroup GID to 1002
  • change all file permissions for old dockeruser:dockergroup to 1001:1002
  • update $HOME inside container to dockeruser $HOME
  • now container and host UID/GID match and files created in the container on host mounts will match.

它可以作为ENTRYPOINT或作为启动脚本的一部分运行。它是
以root身份拥有setuid
位的二进制文件形式安装在容器中,并升级特权以进行适当的更改。
应该只在开发容器中使用。

It can run as the ENTRYPOINT or as part of a startup script. It isinstalled in the container as a binary owned by root with the setuidbit, and escalates privileges to make the appropriate changes. Itshould only be used in development containers.

但是当我尝试这样做时,我得到了

However when I try to do that I got

fixuid: already ran on this system; will not attempt to change UID/GID

,因此未更改UID会引起很多问题

and therefore the UID is not changed which causes a lot of problems

推荐答案

如您在 fixuid 的源代码中所看到的, )不会两次运行此二进制文件的安全性(因为它是 setuid根目录,因此非常危险):

As you can see in the source code of fixuid, there is a (tiny) security for not running this binary twice (because it’s setuid root so it’s very dangerous):

文件已是否存在。

看起来好像有人在启动阶段运行了 fixuid 二进制文件。

Looks like someone probably run the fixuid binary during the boot-up phase. Maybe in an entrypoint (that may call another entrypoint and so on), or after the entrypoint when actually running the command.

fixuid 可能在入口点中(可能会调用另一个入口点,依此类推),也可能在入口点之后。可以在入口点中用作命令的外壳包装。

如果您同时尝试这两种情况,则会收到该消息。

fixuid could be used in the entrypoint or as a shell wrapper for the command.
If you try to do both cases, you’ll get that message.

这篇关于为什么fixuid拒绝更改UID / GID?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-19 14:48
Powered by LMLPHP ©2024 为什么fixuid拒绝更改UID 0.047266