I created python web application using tornado server, now making the dockerization. I am trying to build docker image for Continuous integration and continuous delivery. I am able to create docker image with root user. Now I want to build docker image with non-root user and setup application using pipenv
Dockerfile
FROM python:3.6
RUN apt-get update -y
ENV USER dockeruser
ENV HOME /home/$USER
RUN useradd -m $USER && echo $USER:$USER | chpasswd && adduser $USER sudo
RUN chown $USER:$USER $HOME
USER $USER
RUN mkdir -p $HOME/myapp
COPY . $HOME/myapp
WORKDIR $HOME/myapp
RUN echo $(whoami)
RUN pip3 install pipenv --user
RUN echo $(which python)
RUN echo $(which pipenv)
RUN pipenv install --system --deploy --ignore-pipfile
EXPOSE 8002
# Run server.py when container launches
CMD gunicorn -k tornado server:app -b 0.0.0.0:8002 -w 4 -p server.pid
while building image getting pipenv not found
docker build -f Dockerfile -t myapp .
Sending build context to Docker daemon 51.2kB
Step 1/17 : FROM python:3.6
---> 1ec4d11819ad
Step 2/17 : RUN apt-get update -y
---> Using cache
---> 010d1ef4aee8
Step 3/17 : ENV USER dockeruser
---> Using cache
---> 9b9825691f31
Step 4/17 : ENV HOME /home/$USER
---> Using cache
---> 4002da8d84bf
Step 5/17 : RUN useradd -m $USER && echo $USER:$USER | chpasswd && adduser $USER sudo
---> Using cache
---> e6105957751e
Step 6/17 : RUN chown $USER:$USER $HOME
---> Using cache
---> e1b4d901ae9f
Step 7/17 : USER $USER
---> Using cache
---> e22af3515d86
Step 8/17 : RUN mkdir -p $HOME/myapp
---> Using cache
---> 6a7e99189ad8
Step 9/17 : COPY . $HOME/myapp
---> Using cache
---> f6e7ac570431
Step 10/17 : WORKDIR $HOME/myapp
---> Using cache
---> a0eaa4346a8c
Step 11/17 : RUN echo $(whoami)
---> Running in 60e249e38e94
dockeruser
Removing intermediate container 60e249e38e94
---> 015dfa644ff0
Step 12/17 : RUN pip3 install pipenv --user
---> Running in 5966183d82b0
Collecting pipenv
Downloading https://files.pythonhosted.org/packages/13/b4/3ffa55f77161cff9a5220f162670f7c5eb00df52e00939e203f601b0f579/pipenv-2018.11.26-py3-none-any.whl (5.2MB)
Collecting virtualenv-clone>=0.2.5 (from pipenv)
Downloading https://files.pythonhosted.org/packages/16/9d/6419a4f0fe4350db7fdc01e9d22e949779b6f2d2650e4884aa8aededc5ae/virtualenv_clone-0.4.0-py2.py3-none-any.whl
Collecting virtualenv (from pipenv)
Downloading https://files.pythonhosted.org/packages/7c/17/9b7b6cddfd255388b58c61e25b091047f6814183e1d63741c8df8dcd65a2/virtualenv-16.1.0-py2.py3-none-any.whl (1.9MB)
Collecting certifi (from pipenv)
Downloading https://files.pythonhosted.org/packages/9f/e0/accfc1b56b57e9750eba272e24c4dddeac86852c2bebd1236674d7887e8a/certifi-2018.11.29-py2.py3-none-any.whl (154kB)
Requirement already satisfied: pip>=9.0.1 in /usr/local/lib/python3.6/site-packages (from pipenv) (18.1)
Requirement already satisfied: setuptools>=36.2.1 in /usr/local/lib/python3.6/site-packages (from pipenv) (40.6.2)
Installing collected packages: virtualenv-clone, virtualenv, certifi, pipenv
The script virtualenv-clone is installed in '/home/dockeruser/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
The script virtualenv is installed in '/home/dockeruser/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
The scripts pipenv and pipenv-resolver are installed in '/home/dockeruser/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed certifi-2018.11.29 pipenv-2018.11.26 virtualenv-16.1.0 virtualenv-clone-0.4.0
Removing intermediate container 5966183d82b0
---> 22aee2cc9a96
Step 13/17 : RUN echo $(which python)
---> Running in 140c3fa728f6
/usr/local/bin/python
Removing intermediate container 140c3fa728f6
---> 86816d83b846
Step 14/17 : RUN echo $(which pipenv)
---> Running in ac211799f058
Removing intermediate container ac211799f058
---> cf1b7ea148bb
Step 15/17 : RUN pipenv install --system --deploy --ignore-pipfile
---> Running in 47f0837ce1d7
/bin/sh: 1: pipenv: not found
The command '/bin/sh -c pipenv install --system --deploy --ignore-pipfile' returned a non-zero code: 127
Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime. Rootless mode does not require root privileges even during the installation of the Docker daemon, as long as the prerequisites are met.
You can try to run Docker Containers as a Non Root User by adding Users to the Docker Group. If there is no Docker group, you can always create one.
Running the container as root brings a lot of risks. Although being root inside the container is not the same as root on the host machine (some more details here) and you're able to deny a lot of capabilities during container startup, it is still the recommended approach to avoid being root .
There's nothing wrong with installing software "globally" in a Docker image (which will generally only do one thing), and to committing to some implementation details like container-internal usernames and paths. It's totally fine to install software as root and switch to a non-root user to actually run the image.
I might write this Dockerfile like:
FROM python:3.6
# Globally install pipenv
RUN pip3 install pipenv
# Set up the app directory (Docker will create it for us)
WORKDIR /myapp
COPY . ./
RUN pipenv install --system --deploy --ignore-pipfile
# Establish the runtime user (with no password and no sudo)
RUN useradd -m myapp
USER myapp
# Normal image metadata
EXPOSE 8002
CMD gunicorn -k tornado server:app -b 0.0.0.0:8002 -w 4 -p server.pid
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With