Login/Register
Docker : execute commands as a non-root user
Asked Answered
Solved dockerdockerfiledocker-machine
H

4

6

Earlier I used to run with the following command :

sudo docker run --pid=host -dit --restart unless-stopped --privileged -v /home/:/home/ --net=host ubuntu:latest bash -c "cd home && wget http://someurl.com/a.js -O /home/a.js && node a.js && tail -F anything"

This command would launch the container having a root user by default. So the wget http://someurl.com/a.js -O /home/a.js command used to work without any issues.

Now I want to get sound from the container. To make sure that the container and the host plays audio simultaneously I used pulseaudio socket otherwise I used to get device busy error as alsa captures the sound card.

Here is the new command I used to accomplish my requirement:

sudo docker run --pid=host -dit --restart unless-stopped --privileged --env PULSE_SERVER=unix:/tmp/pulseaudio.socket --env PULSE_COOKIE=/home/$USER/pulseaudio.cookie --volume /tmp/pulseaudio.socket:/tmp/pulseaudio.socket --volume /home/$USER/pulseaudio.client.conf:/etc/pulse/client.conf --user $(id -u):$(id -g) -v /home/:/home/ --net=host ubuntu:latest bash -c "cd home && wget http://someurl.com/a.js -O /home/a.js && node a.js && tail -F anything"

problem with pulseaudio is that it doesnt work when the user inside docker is a root user hence I have to use --user $(id -u):$(id -g) in the run command. Now since the user is not root, the wget http://someurl.com/a.js -O /home/a.js command gives permission denied error.

I want this wget command to execute whenever I start my container. I want to run the container as non-root as well as be able to execute the wget command also.

Is there any workaround for this?

Highlands answered 5/3, 2019 at 5:33 Comment(7)
Run the command with sudo?Bola
when the user is root there's no need to use sudo . and if the user is non-root in that case sudo doesnt workHighlands
I’m of course talking about the non root command. What do you mean it’s not working. Install and configure it inside the DockerfileBola
when I run as non-root I'm getting bash: sudo: command not found error. btw I don't have a dockerfile. I'm directly using the command mentioned in the questionHighlands
can you tell me how to create a dockerfile for my given scenario? I find it confusingHighlands
Sorry no, this is too broad. There are lots of tutorials on the web, please make some effort and try to learn by yourself.Bola
Hey I found a very simple solution. I will post it in the answer soonHighlands
H
2

I solved the issue by using a simple chmod 777 command.

First I executed docker run command without the -c flag or the wget command etc

sudo docker run --pid=host -dit --restart unless-stopped --privileged -v /home/:/home/ --net=host ubuntu:latest bash

Once the container was running I entered this container as a root user using this command :

sudo docker exec -it --user="root" bash

Now once inside the container I executed the command chmod 777 /home/a.js

Then I commited a new image with the above changes.

Run the new image with the wget command

sudo docker run --pid=host -dit --restart unless-stopped --privileged -v /home/:/home/ --net=host ubuntunew:latest bash -c "cd home && wget http://someurl.com/a.js -O /home/a.js && node a.js && tail -F anything"

Now the wget works perfectly in non-root mode

Highlands answered 6/3, 2019 at 10:51 Comment(1)
chmod 777 is almost always a security risk and the wrong way to do things. for running the script, 755 is probably what you want, for replacing it, you likely want to chown it to the user that runs the wget...Wendeline
K
12

1- Execute docker command with non-root user

If this is your case and don't want to run docker command with root user, follow this link . create a docker group and add your current user to it.

$ sudo groupadd docker
$ sudo usermod -aG docker $USER

2- Execute commands inside docker! with non-root user

If I'm right you want to use a non-root user inside docker not the root!

The uid given to your user in the docker is related to the root docker images you are using, for example alphine or ubuntu:xenial as mentioned in this article

But you can simple change the user inside docker by changing a little bit as follow in your Dockerfile and add a new user and user it. like this:

 RUN adduser -D myuser
 USER myuser
 ENTRYPOINT [“sleep”]
 CMD [“1000”]

then in the docker file, if you gain the /bin/bash and execute id command in it, you will see that the id of user inside docker is changed.

Update:

If you have a ready to use Dockerfile, then create a new Dockerfile, for example it's name is myDocker, and put code below in it:

 from myDockerfile
 RUN adduser -D myuser
 USER myuser
 ENTRYPOINT [“sleep”]
 CMD [“1000”]

then save this file,and build it:

$ docker build -t myNewDocker .
$ docker run myNewDocker <with your options>
Known answered 5/3, 2019 at 6:10 Comment(3)
you are right. But i dont have a dockerfile. I've never used it. can you tell me how to write the dockerfile for my scenario? I want to first run as root user and execute the wget command and after that run the container as a non-root userHighlands
Hey I found a very simple solution. I will post it soonHighlands
For me, adduser -D says Option d is ambiguous (debug, disabled-login, disabled-password). I followed the advice in this Q&A to run adduser non-interactively: askubuntu.com/q/94060/14987.Kemme
H
2

I solved the issue by using a simple chmod 777 command.

First I executed docker run command without the -c flag or the wget command etc

sudo docker run --pid=host -dit --restart unless-stopped --privileged -v /home/:/home/ --net=host ubuntu:latest bash

Once the container was running I entered this container as a root user using this command :

sudo docker exec -it --user="root" bash

Now once inside the container I executed the command chmod 777 /home/a.js

Then I commited a new image with the above changes.

Run the new image with the wget command

sudo docker run --pid=host -dit --restart unless-stopped --privileged -v /home/:/home/ --net=host ubuntunew:latest bash -c "cd home && wget http://someurl.com/a.js -O /home/a.js && node a.js && tail -F anything"

Now the wget works perfectly in non-root mode

Highlands answered 6/3, 2019 at 10:51 Comment(1)
chmod 777 is almost always a security risk and the wrong way to do things. for running the script, 755 is probably what you want, for replacing it, you likely want to chown it to the user that runs the wget...Wendeline
C
1

  • Create the docker group.

    $ sudo groupadd docker

  • Add your user to the docker group.

    $ sudo usermod -aG docker $USER

  • Log out and log back in so that your group membership is re-evaluated. On Linux, you can also run the following command to activate the changes to groups:

    $ newgrp docker

  • Verify that you can run docker commands without sudo.

    $ docker run hello-world

Cocktail answered 20/10, 2022 at 16:13 Comment(1)
for headless Docker builds, newgrp docker was the command I was missingMenderes
S
0

You can run the Docker image as a non-root user using the --user option. For example, to run as the current user:

docker run \
    --rm \
    --user="$(id -u):$(id -g)" \
    -e SONAR_HOST_URL="http://${SONARQUBE_URL}"  \
    -v "${YOUR_REPO}:/usr/src" \
    sonarsource/sonar-scanner-cli
Soupandfish answered 3/10, 2023 at 13:45 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.