如何在扩展 (node.js) docker 图像上添加自定义 CA 证书
How to add a custom CA-Certificate on an extended (node.js) docker image
我正在扩展 node-red docker 图像,该图像(当前)基于 node:6docker 图像。
我想将自定义 SSL 证书添加到 docker-image 的证书库中。到目前为止,我是这样做的:
FROM nodered/node-red-docker
ADD DigiCertCA.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
ADD settings.js /data/settings.js
RUN npm install node-red-contrib-ttn
RUN npm install node-red-contrib-influxdb
RUN npm install node-red-admin
RUN npm install node-red-node-geohash
CMD ["npm", "start", "--", "--userDir", "/data"]
构建此映像失败,因为 RUN 是作为非根用户 node 执行的。
Updating certificates in /etc/ssl/certs... ln: failed to create symbolic link '/etc/ssl/certs/DigiCertCA.pem': Permission denied
The command '/bin/sh -c update-ca-certificates' returned a non-zero code: 1
我知道作为非 root 用户,这样的操作是不可能的。但是,使用自定义 CA 证书扩展现有映像的有效概念是什么?
为什么不直接将用户切换到 root 到 运行 添加证书的命令然后切换回来?
FROM nodered/node-red-docker
ADD DigiCertCA.crt /usr/local/share/ca-certificates/
USER root
RUN update-ca-certificates
USER node-red
ADD settings.js /data/settings.js
RUN npm install node-red-contrib-ttn
RUN npm install node-red-contrib-influxdb
RUN npm install node-red-admin
RUN npm install node-red-node-geohash
CMD ["npm", "start", "--", "--userDir", "/data"]
这是一个带有代理和证书的完整示例。
使用npm config set cafile
Docker 文件:
FROM node:10.15.3-jessie
# HTTP Proxy
ARG http_proxy
ARG https_proxy
ENV http_proxy ${http_proxy}
ENV https_proxy ${https_proxy}
# Certicate
ENV CERT_HOME=/usr/local/share/ca-certificates
ENV CERT_FILE_PATH=${CERT_HOME}/my.crt
RUN mkdir -p ${CERT_HOME}
ADD my.crt ${CERT_FILE_PATH}
RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
# npm settings
RUN npm config set cafile ${CERT_FILE_PATH}
RUN npm config set proxy ${http_proxy}
RUN npm config set https-proxy ${https_proxy}
# Check
RUN npm config get proxy
RUN npm config get https-proxy
RUN npm config get registry
和运行:
docker build --build-arg http_proxy=$http_proxy --build-arg https_proxy=$https_proxy --tag mynode .
我正在扩展 node-red docker 图像,该图像(当前)基于 node:6docker 图像。
我想将自定义 SSL 证书添加到 docker-image 的证书库中。到目前为止,我是这样做的:
FROM nodered/node-red-docker
ADD DigiCertCA.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
ADD settings.js /data/settings.js
RUN npm install node-red-contrib-ttn
RUN npm install node-red-contrib-influxdb
RUN npm install node-red-admin
RUN npm install node-red-node-geohash
CMD ["npm", "start", "--", "--userDir", "/data"]
构建此映像失败,因为 RUN 是作为非根用户 node 执行的。
Updating certificates in /etc/ssl/certs... ln: failed to create symbolic link '/etc/ssl/certs/DigiCertCA.pem': Permission denied
The command '/bin/sh -c update-ca-certificates' returned a non-zero code: 1
我知道作为非 root 用户,这样的操作是不可能的。但是,使用自定义 CA 证书扩展现有映像的有效概念是什么?
为什么不直接将用户切换到 root 到 运行 添加证书的命令然后切换回来?
FROM nodered/node-red-docker
ADD DigiCertCA.crt /usr/local/share/ca-certificates/
USER root
RUN update-ca-certificates
USER node-red
ADD settings.js /data/settings.js
RUN npm install node-red-contrib-ttn
RUN npm install node-red-contrib-influxdb
RUN npm install node-red-admin
RUN npm install node-red-node-geohash
CMD ["npm", "start", "--", "--userDir", "/data"]
这是一个带有代理和证书的完整示例。
使用npm config set cafile
Docker 文件:
FROM node:10.15.3-jessie
# HTTP Proxy
ARG http_proxy
ARG https_proxy
ENV http_proxy ${http_proxy}
ENV https_proxy ${https_proxy}
# Certicate
ENV CERT_HOME=/usr/local/share/ca-certificates
ENV CERT_FILE_PATH=${CERT_HOME}/my.crt
RUN mkdir -p ${CERT_HOME}
ADD my.crt ${CERT_FILE_PATH}
RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
# npm settings
RUN npm config set cafile ${CERT_FILE_PATH}
RUN npm config set proxy ${http_proxy}
RUN npm config set https-proxy ${https_proxy}
# Check
RUN npm config get proxy
RUN npm config get https-proxy
RUN npm config get registry
和运行:
docker build --build-arg http_proxy=$http_proxy --build-arg https_proxy=$https_proxy --tag mynode .