为什么简单的Dockerfile会给出“拒绝权限”？

apt-get 通常需要以root身份运行，但是一旦ve运行 USER 命令，命令不再以root用户身份运行。

apt-get generally needs to run as root, but once you've run a USER command, commands don't run as root any more.

您将经常运行命令就像在Dockerfile的 start 上一样：如果可能的话，您想利用Docker层缓存，并且通常会安装Dockerfile其余需求的依赖项。同样出于层缓存的原因，重要的是一步执行 apt-get update 和其他安装步骤。因此，您的Dockerfile通常看起来像

You'll frequently run commands like this at the start of the Dockerfile: you want to take advantage of Docker layer caching if you can, and you'll usually be installing dependencies the rest of the Dockerfile needs. Also for layer-caching reasons, it's important to run apt-get update and other installation steps in a single step. So your Dockerfile would typically look like

FROM ros:kinetic-robot-xenial
# Still root
RUN apt-get update \
 && apt-get install ...
# Copy in application (still as root, won't be writable by other users)
COPY ...
CMD ["..."]
# Now as the last step create a user and default to running as it
RUN adduser ros
USER ros

如果需要，可以显式地 USER root 切换回root以执行后续命令，但是通常更易于阅读和维护

If you need to, you can explicitly USER root to switch back to root for subsequent commands, but it's usually easier to read and maintain Dockerfiles with less user switching.

还请注意， sudo 和用户密码在Docker中都没有真正的用处。通常，很难在脚本中运行 sudo ，并且脚本中会发生很多Docker问题。容器几乎也永远不会运行诸如 getty 或 sshd 之类的可能会接受用户密码的东西，并且它们读起来很简单。从 docker history 返回，因此设置一个没有意义。相反，如果您可以在容器中放置壳，则始终可以将 -u root 传递给 docker run 或 docker exec 命令获取根shell。

Also note that neither sudo nor user passwords are really useful in Docker. It's hard to run sudo in a script just in general and a lot of Docker things happen in scripts. Containers also almost never run things like getty or sshd that could potentially accept user passwords, and they're trivial to read back from docker history, so there's no point in setting one. Conversely, if you're in a position to get a shell in a container, you can always pass -u root to the docker run or docker exec command to get a root shell.