使用 Google Cloud CLI 或 REST API 创建作业,该作业在 JSON 文件的正文中包含设置为 true 的 runAsNonRoot 字段:
"runAsNonRoot":true
例如,以非根用户身份运行可执行文件的作业的 JSON 配置文件类似于以下内容:
{"taskGroups":[{"taskSpec":{"runnables":[{"script":{"text":"echo Hello World! This is task $BATCH_TASK_INDEX executed by $(whoami)."}}]},"taskCount":3,"runAsNonRoot":true}],"logsPolicy":{"destination":"CLOUD_LOGGING"}}
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-05。"],[[["\u003cp\u003eBatch jobs typically run as the root user, but they can be configured to run as a non-root user for security or application requirements.\u003c/p\u003e\n"],["\u003cp\u003eTo run a Batch job as a non-root user, enable OS Login and set the \u003ccode\u003erunAsNonRoot\u003c/code\u003e field to \u003ccode\u003etrue\u003c/code\u003e when creating the job.\u003c/p\u003e\n"],["\u003cp\u003eSpecific IAM roles, such as Batch Job Editor, Service Account User, and Compute OS Login, are required to create and run jobs as a non-root user.\u003c/p\u003e\n"],["\u003cp\u003eEnabling OS Login configures a user account on the VMs, allowing all runnables in the Batch job to be executed by this user instead of root.\u003c/p\u003e\n"]]],[],null,["# Create and run jobs as a non-root user\n\nThis document describes how to create and run a Batch job as a\nnon-root user.\n\nBy default, Batch executes runnables as the root user.\nIf you want Batch to execute runnables as a\nnon-root user---for example, to run an application that doesn't\nallow root users or to meet security requirements---create a\nBatch job that uses [OS Login](/compute/docs/oslogin). When\nyou enable OS Login in a Batch job, OS Login configures a user\naccount for you on the VMs that your job runs on. All runnables in the job are\nthen executed by your user account on the VM instead of by the root user.\n\nBefore you begin\n----------------\n\n1. If you haven't used Batch before, review [Get started with Batch](/batch/docs/get-started) and enable Batch by completing the [prerequisites for projects and users](/batch/docs/get-started#prerequisites).\n2. If you haven't done so already, enable the\n [OS Login API](/compute/docs/oslogin/rest) by running the following\n command:\n\n ```\n gcloud services enable oslogin.googleapis.com\n ```\n3.\n\n To get the permissions that\n you need to create and run a job as a non-root user,\n\n ask your administrator to grant you the\n following IAM roles:\n\n - [Batch Job Editor](/iam/docs/roles-permissions/batch#batch.jobsEditor) (`roles/batch.jobsEditor`) on the project\n - [Service Account User](/iam/docs/roles-permissions/iam#iam.serviceAccountUser) (`roles/iam.serviceAccountUser`) on the [job's service account](/batch/docs/create-run-job-custom-service-account#create-job-service-account), which by default is the default Compute Engine service account\n - [Compute OS Login](/iam/docs/understanding-roles#compute.osLogin) (`roles/compute.osLogin`) or [Compute OS Admin Login](/iam/docs/understanding-roles#compute.osAdminLogin) (`roles/compute.osAdminLogin`) on the project\n - If you are from a different organization than the project: [Compute OS Login External User](/iam/docs/roles-permissions/compute#compute.osLoginExternalUser) (`roles/compute.osLoginExternalUser`) on the project's organization\n\n\n For more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\n You might also be able to get\n the required permissions through [custom\n roles](/iam/docs/creating-custom-roles) or other [predefined\n roles](/iam/docs/roles-overview#predefined).\n | **Note:** Users with the Compute OS Admin Login role have sudo permissions, but Batch doesn't execute jobs using those permissions.\n\n\u003cbr /\u003e\n\nCreate a job that runs as a non-root user\n-----------------------------------------\n\nCreate a Batch job that runs executables through your own user\naccount by doing the following:\n\nUse the Google Cloud CLI or REST API to\n[create a job](/batch/docs/create-run-basic-job#create-basic-job) that\nincludes the\n[`runAsNonRoot` field](/batch/docs/reference/rest/v1/projects.locations.jobs#TaskGroup.FIELDS.run_as_non_root)\nset to `true` in the main body of the JSON file: \n\n \"runAsNonRoot\": true\n\nFor example, a job that runs executables as a non-root user would have a JSON\nconfiguration file similar to the following: \n\n {\n \"taskGroups\": [\n {\n \"taskSpec\": {\n \"runnables\": [\n {\n \"script\": {\n \"text\": \"echo Hello World! This is task $BATCH_TASK_INDEX executed by $(whoami).\"\n }\n }\n ]\n },\n \"taskCount\": 3,\n \"runAsNonRoot\": true\n }\n ],\n \"logsPolicy\": {\n \"destination\": \"CLOUD_LOGGING\"\n }\n }\n\nWhat's next\n-----------\n\n- If you have issues creating or running a job, see [Troubleshooting](/batch/docs/troubleshooting).\n- [View jobs and tasks](/batch/docs/view-jobs-tasks).\n- Learn about more [job creation options](/batch/docs/create-run-job#job-creation-options)."]]