我正在与 Bazel 合作为 Python 应用程序构建 OCI 映像,并尝试将其配置为以非 root 用户 (mo1) 身份运行。虽然我已设法在 Bazel
oci_image
规则中指定此用户,但在容器运行时遇到权限问题。
oci_image(
name = "my_image",
base = "@python3_11",
entrypoint = ["python", "my_app.py"],
user = "mo1:mo1",
# Other configurations...
)
但是,在运行容器时,mo1 用户似乎没有执行某些文件所需的权限,从而导致出现如下错误:
/bin/sh: 1: /opt/services/metadata/metadata_bin.runfiles: Permission denied
那么,如何在 Bazel 中配置
oci_image
来设置非 root 用户 (mo1) 和组,确保他们拥有访问和运行应用程序文件的正确权限?
我创建了这个脚本
create_user_and_group.sh
#!/bin/bash
set -e
WORKDIR="rootfs"
mkdir -p $WORKDIR/etc $WORKDIR/home/<some folder>
echo "mo1:x:1000:" > $WORKDIR/etc/group
echo "mo1:x:1000:1000::/home/<some folder>:/bin/bash" > $WORKDIR/etc/passwd
tar -czf accelerate_user_layer.tar -C $WORKDIR .
genrule(
name = "generate_user_layer",
srcs = ["create_user_and_group.sh"],
outs = ["user_layer.tar"],
cmd = "(./$(location create_user_and_group.sh) && cp user_layer.tar $(location user_layer.tar))",
visibility = ["//visibility:public"],
)
看来
rules_docker
对此表示支持。此功能现已移至 rules_distroless
。
通过
rules_docker
的旧方法(使用 Bazel 7.0.2 测试):
添加到您的
WORKSPACE.bazel
文件:
# This file is used for legacy dependencies that do not have Bzlmod support
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
http_archive(
name = "io_bazel_rules_docker",
sha256 = "b1e80761a8a8243d03ebca8845e9cc1ba6c82ce7c5179ce2b295cd36f7e394bf",
urls = ["https://github.com/bazelbuild/rules_docker/releases/download/v0.25.0/rules_docker-v0.25.0.tar.gz"],
)
注意:rules_docker 现已弃用,并且不支持 Bzlmod(至少 BCR 不支持)。尽管如此,Bazel 7.x 仍然支持传统的 WORKSPACE 方法。无论如何,我们只需要
rules_docker
中的一些实用函数。
load("@io_bazel_rules_docker//contrib:passwd.bzl", "passwd_entry", "passwd_file")
passwd_entry(
name = "nonroot_user",
info = "nonroot",
uid = 1002,
username = "nonroot",
)
passwd_file(
name = "passwd",
entries = [
":nonroot_user",
],
)
pkg_tar(
name = "passwd_tar",
srcs = [":passwd"],
mode = "0644",
package_dir = "etc",
)
oci_image(
name = "image",
base = "@distroless_SOMETHING",
....
tars = [
":passwd_tar",
],
)