기본적으로 Batch는 실행 파일을 루트 사용자로 실행합니다.
Batch에서 실행 가능 항목을 루트가 아닌 사용자로 실행하려면(예: 루트 사용자를 허용하지 않는 애플리케이션을 실행하거나 보안 요구사항을 충족하기 위해) OS 로그인을 사용하는 Batch 작업을 만듭니다. Batch 작업에서 OS 로그인을 사용 설정하면 OS 로그인이 작업이 실행되는 VM에서 사용자 계정을 구성합니다. 그러면 작업의 모든 실행 파일은 루트 사용자가 아닌 VM의 사용자 계정에 의해 실행됩니다.
예를 들어 실행 파일을 루트가 아닌 사용자로 실행하는 작업에는 다음과 비슷한 JSON 구성 파일이 포함됩니다.
{"taskGroups":[{"taskSpec":{"runnables":[{"script":{"text":"echo Hello World! This is task $BATCH_TASK_INDEX executed by $(whoami)."}}]},"taskCount":3,"runAsNonRoot":true}],"logsPolicy":{"destination":"CLOUD_LOGGING"}}
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-02-11(UTC)"],[[["\u003cp\u003eBatch jobs typically run as the root user, but they can be configured to run as a non-root user for security or application requirements.\u003c/p\u003e\n"],["\u003cp\u003eTo run a Batch job as a non-root user, enable OS Login and set the \u003ccode\u003erunAsNonRoot\u003c/code\u003e field to \u003ccode\u003etrue\u003c/code\u003e when creating the job.\u003c/p\u003e\n"],["\u003cp\u003eSpecific IAM roles, such as Batch Job Editor, Service Account User, and Compute OS Login, are required to create and run jobs as a non-root user.\u003c/p\u003e\n"],["\u003cp\u003eEnabling OS Login configures a user account on the VMs, allowing all runnables in the Batch job to be executed by this user instead of root.\u003c/p\u003e\n"]]],[],null,["# Create and run jobs as a non-root user\n\nThis document describes how to create and run a Batch job as a\nnon-root user.\n\nBy default, Batch executes runnables as the root user.\nIf you want Batch to execute runnables as a\nnon-root user---for example, to run an application that doesn't\nallow root users or to meet security requirements---create a\nBatch job that uses [OS Login](/compute/docs/oslogin). When\nyou enable OS Login in a Batch job, OS Login configures a user\naccount for you on the VMs that your job runs on. All runnables in the job are\nthen executed by your user account on the VM instead of by the root user.\n\nBefore you begin\n----------------\n\n1. If you haven't used Batch before, review [Get started with Batch](/batch/docs/get-started) and enable Batch by completing the [prerequisites for projects and users](/batch/docs/get-started#prerequisites).\n2. If you haven't done so already, enable the\n [OS Login API](/compute/docs/oslogin/rest) by running the following\n command:\n\n ```\n gcloud services enable oslogin.googleapis.com\n ```\n3.\n\n To get the permissions that\n you need to create and run a job as a non-root user,\n\n ask your administrator to grant you the\n following IAM roles:\n\n - [Batch Job Editor](/iam/docs/roles-permissions/batch#batch.jobsEditor) (`roles/batch.jobsEditor`) on the project\n - [Service Account User](/iam/docs/roles-permissions/iam#iam.serviceAccountUser) (`roles/iam.serviceAccountUser`) on the [job's service account](/batch/docs/create-run-job-custom-service-account#create-job-service-account), which by default is the default Compute Engine service account\n - [Compute OS Login](/iam/docs/understanding-roles#compute.osLogin) (`roles/compute.osLogin`) or [Compute OS Admin Login](/iam/docs/understanding-roles#compute.osAdminLogin) (`roles/compute.osAdminLogin`) on the project\n - If you are from a different organization than the project: [Compute OS Login External User](/iam/docs/roles-permissions/compute#compute.osLoginExternalUser) (`roles/compute.osLoginExternalUser`) on the project's organization\n\n\n For more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\n You might also be able to get\n the required permissions through [custom\n roles](/iam/docs/creating-custom-roles) or other [predefined\n roles](/iam/docs/roles-overview#predefined).\n | **Note:** Users with the Compute OS Admin Login role have sudo permissions, but Batch doesn't execute jobs using those permissions.\n\n\u003cbr /\u003e\n\nCreate a job that runs as a non-root user\n-----------------------------------------\n\nCreate a Batch job that runs executables through your own user\naccount by doing the following:\n\nUse the Google Cloud CLI or REST API to\n[create a job](/batch/docs/create-run-basic-job#create-basic-job) that\nincludes the\n[`runAsNonRoot` field](/batch/docs/reference/rest/v1/projects.locations.jobs#TaskGroup.FIELDS.run_as_non_root)\nset to `true` in the main body of the JSON file: \n\n \"runAsNonRoot\": true\n\nFor example, a job that runs executables as a non-root user would have a JSON\nconfiguration file similar to the following: \n\n {\n \"taskGroups\": [\n {\n \"taskSpec\": {\n \"runnables\": [\n {\n \"script\": {\n \"text\": \"echo Hello World! This is task $BATCH_TASK_INDEX executed by $(whoami).\"\n }\n }\n ]\n },\n \"taskCount\": 3,\n \"runAsNonRoot\": true\n }\n ],\n \"logsPolicy\": {\n \"destination\": \"CLOUD_LOGGING\"\n }\n }\n\nWhat's next\n-----------\n\n- If you have issues creating or running a job, see [Troubleshooting](/batch/docs/troubleshooting).\n- [View jobs and tasks](/batch/docs/view-jobs-tasks).\n- Learn about more [job creation options](/batch/docs/create-run-job#job-creation-options)."]]