Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to build docker with non-root user privileges to setup python application with pipenv?

I created python web application using tornado server, now making the dockerization. I am trying to build docker image for Continuous integration and continuous delivery. I am able to create docker image with root user. Now I want to build docker image with non-root user and setup application using pipenv

Dockerfile

FROM python:3.6

RUN apt-get update -y

ENV USER dockeruser
ENV HOME /home/$USER

RUN useradd -m $USER && echo $USER:$USER | chpasswd && adduser $USER sudo
RUN chown $USER:$USER $HOME

USER $USER

RUN mkdir -p $HOME/myapp
COPY . $HOME/myapp
WORKDIR $HOME/myapp

RUN echo $(whoami)
RUN pip3 install pipenv --user
RUN echo $(which python)
RUN echo $(which pipenv)
RUN pipenv install --system --deploy --ignore-pipfile

EXPOSE 8002

# Run server.py when container launches
CMD gunicorn -k tornado server:app -b 0.0.0.0:8002 -w 4 -p server.pid

while building image getting pipenv not found

docker build -f Dockerfile -t myapp .
Sending build context to Docker daemon   51.2kB
Step 1/17 : FROM python:3.6
 ---> 1ec4d11819ad
Step 2/17 : RUN apt-get update -y
 ---> Using cache
 ---> 010d1ef4aee8
Step 3/17 : ENV USER dockeruser
 ---> Using cache
 ---> 9b9825691f31
Step 4/17 : ENV HOME /home/$USER
 ---> Using cache
 ---> 4002da8d84bf
Step 5/17 : RUN useradd -m $USER && echo $USER:$USER | chpasswd && adduser $USER sudo
 ---> Using cache
 ---> e6105957751e
Step 6/17 : RUN chown $USER:$USER $HOME
 ---> Using cache
 ---> e1b4d901ae9f
Step 7/17 : USER $USER
 ---> Using cache
 ---> e22af3515d86
Step 8/17 : RUN mkdir -p $HOME/myapp
 ---> Using cache
 ---> 6a7e99189ad8
Step 9/17 : COPY . $HOME/myapp
 ---> Using cache
 ---> f6e7ac570431
Step 10/17 : WORKDIR $HOME/myapp
 ---> Using cache
 ---> a0eaa4346a8c
Step 11/17 : RUN echo $(whoami)
 ---> Running in 60e249e38e94
dockeruser
Removing intermediate container 60e249e38e94
 ---> 015dfa644ff0
Step 12/17 : RUN pip3 install pipenv --user
 ---> Running in 5966183d82b0
Collecting pipenv
  Downloading https://files.pythonhosted.org/packages/13/b4/3ffa55f77161cff9a5220f162670f7c5eb00df52e00939e203f601b0f579/pipenv-2018.11.26-py3-none-any.whl (5.2MB)
Collecting virtualenv-clone>=0.2.5 (from pipenv)
  Downloading https://files.pythonhosted.org/packages/16/9d/6419a4f0fe4350db7fdc01e9d22e949779b6f2d2650e4884aa8aededc5ae/virtualenv_clone-0.4.0-py2.py3-none-any.whl
Collecting virtualenv (from pipenv)
  Downloading https://files.pythonhosted.org/packages/7c/17/9b7b6cddfd255388b58c61e25b091047f6814183e1d63741c8df8dcd65a2/virtualenv-16.1.0-py2.py3-none-any.whl (1.9MB)
Collecting certifi (from pipenv)
  Downloading https://files.pythonhosted.org/packages/9f/e0/accfc1b56b57e9750eba272e24c4dddeac86852c2bebd1236674d7887e8a/certifi-2018.11.29-py2.py3-none-any.whl (154kB)
Requirement already satisfied: pip>=9.0.1 in /usr/local/lib/python3.6/site-packages (from pipenv) (18.1)
Requirement already satisfied: setuptools>=36.2.1 in /usr/local/lib/python3.6/site-packages (from pipenv) (40.6.2)
Installing collected packages: virtualenv-clone, virtualenv, certifi, pipenv
  The script virtualenv-clone is installed in '/home/dockeruser/.local/bin' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
  The script virtualenv is installed in '/home/dockeruser/.local/bin' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
  The scripts pipenv and pipenv-resolver are installed in '/home/dockeruser/.local/bin' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed certifi-2018.11.29 pipenv-2018.11.26 virtualenv-16.1.0 virtualenv-clone-0.4.0
Removing intermediate container 5966183d82b0
 ---> 22aee2cc9a96
Step 13/17 : RUN echo $(which python)
 ---> Running in 140c3fa728f6
/usr/local/bin/python
Removing intermediate container 140c3fa728f6
 ---> 86816d83b846
Step 14/17 : RUN echo $(which pipenv)
 ---> Running in ac211799f058

Removing intermediate container ac211799f058
 ---> cf1b7ea148bb
Step 15/17 : RUN pipenv install --system --deploy --ignore-pipfile
 ---> Running in 47f0837ce1d7
/bin/sh: 1: pipenv: not found
The command '/bin/sh -c pipenv install --system --deploy --ignore-pipfile' returned a non-zero code: 127
like image 675
prasannaboga Avatar asked Dec 03 '18 08:12

prasannaboga


People also ask

Can I install Docker without root privileges?

Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime. Rootless mode does not require root privileges even during the installation of the Docker daemon, as long as the prerequisites are met.

How would we ensure the containers run as non root users?

You can try to run Docker Containers as a Non Root User by adding Users to the Docker Group. If there is no Docker group, you can always create one.

Should Docker containers be run as root?

Running the container as root brings a lot of risks. Although being root inside the container is not the same as root on the host machine (some more details here) and you're able to deny a lot of capabilities during container startup, it is still the recommended approach to avoid being root .


1 Answers

There's nothing wrong with installing software "globally" in a Docker image (which will generally only do one thing), and to committing to some implementation details like container-internal usernames and paths. It's totally fine to install software as root and switch to a non-root user to actually run the image.

I might write this Dockerfile like:

FROM python:3.6

# Globally install pipenv
RUN pip3 install pipenv

# Set up the app directory (Docker will create it for us)
WORKDIR /myapp
COPY . ./
RUN pipenv install --system --deploy --ignore-pipfile

# Establish the runtime user (with no password and no sudo)
RUN useradd -m myapp
USER myapp

# Normal image metadata
EXPOSE 8002
CMD gunicorn -k tornado server:app -b 0.0.0.0:8002 -w 4 -p server.pid
like image 82
David Maze Avatar answered Sep 28 '22 22:09

David Maze