如何在扩展(node.js)docker镜像上添加自定义CA证书

时间:2017-11-22 15:14:17

标签: node.js ssl docker dockerfile node-red

我正在扩展node-red docker图像,该图像(当前)基于node:6泊坞窗图像。

我想在docker-image的证书库中添加自定义SSL证书。到目前为止,我做了如下:

FROM nodered/node-red-docker

ADD DigiCertCA.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

ADD settings.js /data/settings.js

RUN npm install node-red-contrib-ttn
RUN npm install node-red-contrib-influxdb
RUN npm install node-red-admin
RUN npm install node-red-node-geohash 

CMD ["npm", "start", "--", "--userDir", "/data"]

构建此映像失败,因为RUN作为非root用户node执行。

Updating certificates in /etc/ssl/certs... ln: failed to create symbolic link '/etc/ssl/certs/DigiCertCA.pem': Permission denied
The command '/bin/sh -c update-ca-certificates' returned a non-zero code: 1

我意识到,作为非root用户,这样的操作是不可能的。但是,使用自定义CA证书扩展现有图像的有效概念是什么?

2 个答案:

答案 0 :(得分:1)

为什么不将用户切换到root运行命令以添加证书然后切换回来?

FROM nodered/node-red-docker

ADD DigiCertCA.crt /usr/local/share/ca-certificates/
USER root
RUN update-ca-certificates
USER node-red


ADD settings.js /data/settings.js

RUN npm install node-red-contrib-ttn
RUN npm install node-red-contrib-influxdb
RUN npm install node-red-admin
RUN npm install node-red-node-geohash 

CMD ["npm", "start", "--", "--userDir", "/data"]

答案 1 :(得分:0)

这是代理和证书的完整示例。

使用 npm config set cafile

Dockerfile:

docker build --build-arg http_proxy=$http_proxy --build-arg https_proxy=$https_proxy --tag mynode .

并运行:

.babelrc