I'm using alpine (or an image that is based on Alpine) as the base image in my Dockerfile. Which instructions do I need to add to create a user?
Eventually I'll use this user to run the application I'll place into the container so that the root user does not.
Alpine uses the command adduser and addgroup for creating users and groups (rather than useradd and usergroup).
FROM alpine:latest
# Create a group and user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
# Tell docker that all future commands should run as the appuser user
USER appuser
The flags for adduser are:
Usage: adduser [OPTIONS] USER [GROUP]
Create new user, or add USER to GROUP
-h DIR Home directory
-g GECOS GECOS field
-s SHELL Login shell
-G GRP Group
-S Create a system user
-D Don't assign a password
-H Don't create home directory
-u UID User id
-k SKEL Skeleton directory (/etc/skel)
USER guest? –
Caporetto adduser and addgroup commands are different from adduser and addgroup as provided by Debian and Ubuntu which in turn are front ends to useradd and groupadd. Notably, the Debian and Ubuntu commands only support long form options. See: manpages.debian.org/stretch/adduser/adduser.8.en.html –
Shakhty The commands are adduser and addgroup.
Here's a template for Docker you can use in busybox environments (alpine) as well as Debian-based environments (Ubuntu, etc.):
ENV USER=docker
ENV GROUPNAME=$USER
ENV UID=12345
ENV GID=23456
RUN addgroup \
--gid "$GID" \
"$GROUPNAME" \
&& adduser \
--disabled-password \
--gecos "" \
--home "$(pwd)" \
--ingroup "$GROUPNAME" \
--no-create-home \
--uid "$UID" \
$USER
Note the following:
--disabled-password prevents prompt for a password--gecos "" circumvents the prompt for "Full Name" etc. on Debian-based systems--home "$(pwd)" sets the user's home to the WORKDIR. You may not want this.--no-create-home prevents cruft getting copied into the directory from /etc/skelThe usage description for these applications is missing the long flags present in the code for adduser and addgroup.
The following long-form flags should work both in alpine as well as debian-derivatives:
BusyBox v1.28.4 (2018-05-30 10:45:57 UTC) multi-call binary.
Usage: adduser [OPTIONS] USER [GROUP]
Create new user, or add USER to GROUP
--home DIR Home directory
--gecos GECOS GECOS field
--shell SHELL Login shell
--ingroup GRP Group (by name)
--system Create a system user
--disabled-password Don't assign a password
--no-create-home Don't create home directory
--uid UID User id
One thing to note is that if --ingroup isn't set then the GID is assigned to match the UID. If the GID corresponding to the provided UID already exists adduser will fail.
BusyBox v1.28.4 (2018-05-30 10:45:57 UTC) multi-call binary.
Usage: addgroup [-g GID] [-S] [USER] GROUP
Add a group or add a user to a group
--gid GID Group id
--system Create a system group
I discovered all of this while trying to write my own alternative to the fixuid project for running containers as the hosts UID/GID.
My entrypoint helper script can be found on GitHub.
The intent is to prepend that script as the first argument to ENTRYPOINT which should cause Docker to infer UID and GID from a relevant bind mount.
An environment variable "TEMPLATE" may be required to determine where the permissions should be inferred from.
(At the time of writing I don't have documentation for my script. It's still on the todo list!!)
useradd/groupadd with the --non-unique flag. Is there anyway to create duplicate id users/groups in alpine? –
Loritalorn shadow. –
Loritalorn --ingroup "$USER" supposed to be --ingroup "$GID"? I'm confused. –
Herv RUN adduser even necessary? Why don't we just use USER 10001:10001 in the Dockerfile? –
Adieu $GID would be useless). The group needs to exist already, too –
Viral --ingroup specifies a group by name. The flag --gid is intended for specifying a group number. In both cases the group must already exist. In the short term I'll update my answer with a GROUPNAME. A clearer answer would also include addgroup however my original answer failed to run. –
Incoming --ingroup accepts a group name only, it will fail if you use a GID. As Alpine's Busybox adduser command does not support the --gid option, --ingroup is the only way to configure the default group across platforms as far as I can tell. –
Incoming There is package shadow that brings useradd & usermod.
adduser has some stupid limitations:
$ sudo adduser --disabled-password root
adduser: user 'root' in use
but usermod doesn't:
$ sudo apk add shadow
$ sudo usermod --unlock root
Group and User Setup:
Create default values for User ID (UID), Group ID (GID), and username, which can be customized using arguments.
ARG USER_UID=1000
ARG GROUP_GID=1000
ARG UGNAME=webapp
Remove Existing Group and User:
Check for the presence of an existing group and user. If either exists, remove them.
RUN if getent passwd ${USER_UID} >/dev/null; then \
deluser $(getent passwd ${USER_UID} | cut -d: -f1); fi
RUN if getent group ${GROUP_GID} >/dev/null; then \
delgroup $(getent group ${GROUP_GID} | cut -d: -f1); fi
Create New Group and User:
Create a new system group and a new system user with the specified UID, GID, and username.
RUN addgroup --system --gid ${GROUP_GID} ${UGNAME}
RUN adduser --system --disabled-password --home /home/${UGNAME} \
--uid ${USER_UID} --ingroup ${UGNAME} ${UGNAME}
Set the user as the default user for the container. All subsequent commands will run with this user.
USER ${UGNAME}
© 2022 - 2024 — McMap. All rights reserved.
USER 405which is the guest user within Alpine Linux. – Lewert