I have a docker container with some processes (uwsgi and celery) running inside. I want to create a celery user and a uwsgi user for these processes as well as a worker group that they will both belong to, in order to assign permissions.
I tried adding RUN adduser uwsgi
and RUN adduser celery
to my Dockerfile, but this is causing problems, since these commands prompt for input (I've posted the responses from the build below).
What is the best way to add users to a Docker container so as to set permissions for workers running in the container?
My Docker image is built from the official Ubuntu14.04 base.
Here is the output from the Dockerfile when the adduser commands are run:
Adding user `uwsgi' ... Adding new group `uwsgi' (1000) ... Adding new user `uwsgi' (1000) with group `uwsgi' ... Creating home directory `/home/uwsgi' ... Copying files from `/etc/skel' ... [91mEnter new UNIX password: Retype new UNIX password: [0m [91mpasswd: Authentication token manipulation error passwd: password unchanged [0m [91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 563. [0m [91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 564. [0m Try again? [y/N] Changing the user information for uwsgi Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: [91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 589. [0m [91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 590. [0m Is the information correct? [Y/n] ---> 258f2f2f13df Removing intermediate container 59948863162a Step 5 : RUN adduser celery ---> Running in be06f1e20f64 Adding user `celery' ... Adding new group `celery' (1001) ... Adding new user `celery' (1001) with group `celery' ... Creating home directory `/home/celery' ... Copying files from `/etc/skel' ... [91mEnter new UNIX password: Retype new UNIX password: [0m [91mpasswd: Authentication token manipulation error passwd: password unchanged [0m [91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 563. [0m [91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 564. [0m Try again? [y/N] Changing the user information for celery Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: [91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 589. [0m [91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 590. [0m Is the information correct? [Y/n]
To create a common user, you must be connected to the root. You can optionally specify CONTAINER = ALL , which is the default when you are connected to the root. To create a local user, you must be connected to a PDB. You can optionally specify CONTAINER = CURRENT , which is the default when you are connected to a PDB.
To share Docker images, you have to use a Docker registry. The default registry is Docker Hub and is where all of the images we've used have come from. A Docker ID allows you to access Docker Hub which is the world's largest library and community for container images. Create a Docker ID for free if you don't have one.
The trick is to use useradd
instead of its interactive wrapper adduser
. I usually create users with:
RUN useradd -ms /bin/bash newuser
which creates a home directory for the user and ensures that bash is the default shell.
You can then add:
USER newuser WORKDIR /home/newuser
to your dockerfile. Every command afterwards as well as interactive sessions will be executed as user newuser
:
docker run -t -i image newuser@131b7ad86360:~$
You might have to give newuser
the permissions to execute the programs you intend to run before invoking the user command.
Using non-privileged users inside containers is a good idea for security reasons. It also has a few drawbacks. Most importantly, people deriving images from your image will have to switch back to root before they can execute commands with superuser privileges.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With