如何将 Dockerfile `git config` 值应用于非根用户的 ssh 会话?
How to apply Dockerfile `git config` values to a non-root user's ssh session?
我有一个 Dockerfile,其基础层包括 git,配置 git 的全局 user.name 和 user.email 并启动 openssh-server。
Dockerfile 是这样写的(经过简化以消除明显的无关紧要):
FROM debian as base
RUN apt-get update && \
apt-get -qy full-upgrade && \
apt-get install -qy git && \
apt-get install -qy openssh-server && \
sed -i 's|session required pam_loginuid.so|session optional pam_loginuid.so|g' /etc/pam.d/sshd && \
mkdir -p /var/run/sshd && \
groupadd builders -g 1111111112 && \
useradd -l -u 1111111111 -g 1111111112 -m -s /bin/bash bob && \
echo "bob ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
echo "bob:youruncle" | chpasswd && \
git config --global user.name "bob" && \
git config --global user.email "bob@company.com"
EXPOSE 22
CMD /usr/sbin/sshd -D
当我构建并 运行 这个容器时:
$ docker build -t tmp:tmp .
[+] Building 59.2s (6/6) FINISHED
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 692B 0.0s
=> [internal] load metadata for docker.io/library/debian:latest 0.0s
=> CACHED [1/2] FROM docker.io/library/debian 0.0s
=> [2/2] RUN apt-get update && apt-get -qy full-upgrade && 55.4s
=> exporting to image 3.6s
=> => exporting layers 3.5s
=> => writing image sha256:cceaae2883b393ccb7dc0d977d846e5df1... 0.0s
=> => naming to docker.io/library/tmp:tmp 0.0s
$ docker run tmp:tmp
...并附上它,我看到鲍勃的预期 git 配置:
$ docker exec -it peaceful_einstein bash
root@3ca48a22fe98:/# git config --list
user.name=bob
user.email=bob@company.com
root@3ca48a22fe98:/#
...但是当我以 bob 身份通过 ssh 连接到容器时,我没有看到预期的 git 配置:
$ docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' peaceful_einstein
172.17.0.223
$ ssh bob@172.17.0.223
The authenticity of host '172.17.0.223 (172.17.0.223)' can't be established.
ECDSA key fingerprint is SHA256:mIyf7TvG0nDSo3fWDipWGGPxFipb6THmoYt7dwtR77w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.223' (ECDSA) to the list of known hosts.
bob@172.17.0.223's password:
Linux 3ca48a22fe98 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
bob@3ca48a22fe98:~$ git config --list
bob@3ca48a22fe98:~$
为什么当 ssh 连接到容器时 bob 的 git 配置信息不可用?
有没有办法让 Dockerfile 中的 git config 语句“应用于”bob 的 ssh 会话?
运行 docker exec 使用 Dockerfile 中的目录(WORKDIR),除非你覆盖它,而且——在这种情况下更重要的是——来自 [=12= 的用户] 选项,或来自 Dockerfile 的用户。 (另请参阅 )在您的情况下,它们是 / 和 root (uid 0)。
运行 ssh 进入容器启动登录 shell,它使用用户的主目录,从登录中获取用户。在这种情况下,这些是 bob,因此,可能是 /home/bob.
Git 使用或设置当前用户的 --global 配置,因此您使用 docker exec 获取 root 的配置,使用 ssh.
获取 bob 的配置
我能够使用@torek 的解释来拼凑这个在 Dockerfile 的 USER bob“部分”中执行 git config 工作的解决方案:
FROM debian as base
RUN apt-get update && \
apt-get -qy full-upgrade && \
apt-get install -qy git && \
apt-get install -qy openssh-server && \
sed -i 's|session required pam_loginuid.so|session optional pam_loginuid.so|g' /etc/pam.d/sshd && \
mkdir -p /var/run/sshd && \
groupadd builders -g 1111111112 && \
useradd -l -u 1111111111 -g 1111111112 -m -s /bin/bash bob && \
echo "bob ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
echo "bob:youruncle" | chpasswd
EXPOSE 22
USER bob
RUN git config --global user.name "bob" && \
git config --global user.email "bob@company.com"
USER root
CMD /usr/sbin/sshd -D
我不知道这个解决方案 clean/proper/conformant 对通行做法有何影响,但它确实满足了原始 post 的需要。
我有一个 Dockerfile,其基础层包括 git,配置 git 的全局 user.name 和 user.email 并启动 openssh-server。
Dockerfile 是这样写的(经过简化以消除明显的无关紧要):
FROM debian as base
RUN apt-get update && \
apt-get -qy full-upgrade && \
apt-get install -qy git && \
apt-get install -qy openssh-server && \
sed -i 's|session required pam_loginuid.so|session optional pam_loginuid.so|g' /etc/pam.d/sshd && \
mkdir -p /var/run/sshd && \
groupadd builders -g 1111111112 && \
useradd -l -u 1111111111 -g 1111111112 -m -s /bin/bash bob && \
echo "bob ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
echo "bob:youruncle" | chpasswd && \
git config --global user.name "bob" && \
git config --global user.email "bob@company.com"
EXPOSE 22
CMD /usr/sbin/sshd -D
当我构建并 运行 这个容器时:
$ docker build -t tmp:tmp .
[+] Building 59.2s (6/6) FINISHED
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 692B 0.0s
=> [internal] load metadata for docker.io/library/debian:latest 0.0s
=> CACHED [1/2] FROM docker.io/library/debian 0.0s
=> [2/2] RUN apt-get update && apt-get -qy full-upgrade && 55.4s
=> exporting to image 3.6s
=> => exporting layers 3.5s
=> => writing image sha256:cceaae2883b393ccb7dc0d977d846e5df1... 0.0s
=> => naming to docker.io/library/tmp:tmp 0.0s
$ docker run tmp:tmp
...并附上它,我看到鲍勃的预期 git 配置:
$ docker exec -it peaceful_einstein bash
root@3ca48a22fe98:/# git config --list
user.name=bob
user.email=bob@company.com
root@3ca48a22fe98:/#
...但是当我以 bob 身份通过 ssh 连接到容器时,我没有看到预期的 git 配置:
$ docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' peaceful_einstein
172.17.0.223
$ ssh bob@172.17.0.223
The authenticity of host '172.17.0.223 (172.17.0.223)' can't be established.
ECDSA key fingerprint is SHA256:mIyf7TvG0nDSo3fWDipWGGPxFipb6THmoYt7dwtR77w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.223' (ECDSA) to the list of known hosts.
bob@172.17.0.223's password:
Linux 3ca48a22fe98 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
bob@3ca48a22fe98:~$ git config --list
bob@3ca48a22fe98:~$
为什么当 ssh 连接到容器时 bob 的 git 配置信息不可用?
有没有办法让 Dockerfile 中的 git config 语句“应用于”bob 的 ssh 会话?
运行 docker exec 使用 Dockerfile 中的目录(WORKDIR),除非你覆盖它,而且——在这种情况下更重要的是——来自 [=12= 的用户] 选项,或来自 Dockerfile 的用户。 (另请参阅 / 和 root (uid 0)。
运行 ssh 进入容器启动登录 shell,它使用用户的主目录,从登录中获取用户。在这种情况下,这些是 bob,因此,可能是 /home/bob.
Git 使用或设置当前用户的 --global 配置,因此您使用 docker exec 获取 root 的配置,使用 ssh.
我能够使用@torek 的解释来拼凑这个在 Dockerfile 的 USER bob“部分”中执行 git config 工作的解决方案:
FROM debian as base
RUN apt-get update && \
apt-get -qy full-upgrade && \
apt-get install -qy git && \
apt-get install -qy openssh-server && \
sed -i 's|session required pam_loginuid.so|session optional pam_loginuid.so|g' /etc/pam.d/sshd && \
mkdir -p /var/run/sshd && \
groupadd builders -g 1111111112 && \
useradd -l -u 1111111111 -g 1111111112 -m -s /bin/bash bob && \
echo "bob ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
echo "bob:youruncle" | chpasswd
EXPOSE 22
USER bob
RUN git config --global user.name "bob" && \
git config --global user.email "bob@company.com"
USER root
CMD /usr/sbin/sshd -D
我不知道这个解决方案 clean/proper/conformant 对通行做法有何影响,但它确实满足了原始 post 的需要。