How to add users to Docker container?

Question

I have a docker container with some processes (uwsgi and celery) running inside. I want to create a celery user and a uwsgi user for these processes as well as a worker group that they will both belong to, in order to assign permissions.

I tried adding RUN adduser uwsgi and RUN adduser celery to my Dockerfile, but this is causing problems, since these commands prompt for input (I've posted the responses from the build below).

What is the best way to add users to a Docker container so as to set permissions for workers running in the container?

My Docker image is built from the official Ubuntu14.04 base.

Here is the output from the Dockerfile when the adduser commands are run:

Adding user `uwsgi' ... Adding new group `uwsgi' (1000) ...  Adding new user `uwsgi' (1000) with group `uwsgi' ...  Creating home directory `/home/uwsgi' ... Copying files from `/etc/skel' ...  [91mEnter new UNIX password: Retype new UNIX password: [0m  [91mpasswd: Authentication token manipulation error passwd: password unchanged [0m  [91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 563. [0m  [91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 564. [0m  Try again? [y/N]  Changing the user information for uwsgi Enter the new value, or press ENTER for the default     Full Name []:  Room Number []:     Work Phone []:  Home Phone []:  Other []:  [91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 589. [0m  [91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 590. [0m  Is the information correct? [Y/n]  ---> 258f2f2f13df  Removing intermediate container 59948863162a  Step 5 : RUN adduser celery  ---> Running in be06f1e20f64  Adding user `celery' ... Adding new group `celery' (1001) ...  Adding new user `celery' (1001) with group `celery' ...  Creating home directory `/home/celery' ... Copying files from `/etc/skel' ...  [91mEnter new UNIX password: Retype new UNIX password: [0m  [91mpasswd: Authentication token manipulation error passwd: password unchanged [0m  [91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 563. [0m  [91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 564. [0m  Try again? [y/N]  Changing the user information for celery Enter the new value, or press ENTER for the default     Full Name []:   Room Number []:     Work Phone []:  Home Phone []:  Other []:  [91mUse of uninitialized value $answer in chop at /usr/sbin/adduser line 589. [0m  [91mUse of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 590. [0m  Is the information correct? [Y/n]  

Answer 1

The trick is to use useradd instead of its interactive wrapper adduser. I usually create users with:

RUN useradd -ms /bin/bash newuser 

which creates a home directory for the user and ensures that bash is the default shell.

You can then add:

USER newuser WORKDIR /home/newuser 

to your dockerfile. Every command afterwards as well as interactive sessions will be executed as user newuser:

docker run -t -i image newuser@131b7ad86360:~$ 

You might have to give newuser the permissions to execute the programs you intend to run before invoking the user command.

Using non-privileged users inside containers is a good idea for security reasons. It also has a few drawbacks. Most importantly, people deriving images from your image will have to switch back to root before they can execute commands with superuser privileges.