4e01c73400538a94d70ffa4e14fea71c8406e710
compute/docker.md
| ... | ... | @@ -3,8 +3,8 @@ |
| 3 | 3 | |
| 4 | 4 | # Tricks |
| 5 | 5 | ## ssh |
| 6 | -Images should run as non-root, arbitrary users but that makes anything that uses ssh (like git) a pain in the ass. ssh expects a username for the running UID, which you might not have at runtime. |
|
| 7 | -Fake it out and pretend to be root with libuidwrapper and a homedir that you can create at runtime as the running user: |
|
| 6 | +Images should run as non-root arbitrary users, but that makes anything that uses ssh (like git) a pain in the ass. ssh expects a username for the running UID, which you might not have at runtime. |
|
| 7 | +Fake it out and pretend to be root with libuid-wrapper and a homedir that you can create at runtime as the running user: |
|
| 8 | 8 | ``` |
| 9 | 9 | Dockerfile: |
| 10 | 10 | RUN apt update && apt -y install ... libuid-wrapper |
| ... | ... | @@ -20,7 +20,7 @@ chmod 700 "$HOME"/.ssh |
| 20 | 20 | export LD_PRELOAD=libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 |
| 21 | 21 | /app/do-ssh-stuff.py |
| 22 | 22 | ``` |
| 23 | -Note that this doesn't _change_ your uid, it just makes ssh look up usernames and homedirs for root instead of the running uid. |
|
| 23 | +Note that this doesn't _change_ your uid, it just makes ssh (and everything else that uses [g]libc) look up usernames and homedirs for root instead of the running uid. |
|
| 24 | 24 | |
| 25 | 25 | ## git |
| 26 | 26 | If you're pushing/pulling from ssh urls, use the ssh trick above and add this to the entrypoint/cmd wrapper script as well so ssh doesn't moan about host keys: |