Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How To Run Cron As Non Root In Alpine

Tags:

docker

sh

cron

devops

alpine-linux

I am trying to run a container with the following scripts:

Dockerfile

FROM alpine:latest

USER root

RUN apk update \
    && apk upgrade \
    && apk --no-cache add busybox-suid su-exec
RUN chmod u+s /sbin/su-exec

RUN groupadd -r -g 2001 myuser \
    && useradd -r -u 1001 -g myuser myuser

RUN mkdir /home/myuser \
    && chown myuser /home/myuser

COPY --chown=myuser:myuser entrypoint.sh /home/myuser/entrypoint.sh
COPY --chown=myuser:myuser cronjob /home/myuser/cronjob

USER myuser

RUN crontab /home/myuser/cronjob
WORKDIR /home/myuser
ENTRYPOINT["./entrypoint.sh"]

entrypoint.sh

#!/bin/sh

# Start cron daemon.
su-exec root crond -f -l 8

# Start application.

I have read that elevating privileges is not good practice. Therefore, I wish to eliminate usage of su-exec + chmod u+s /sbin/su-exec in my script. I tried su and sudo as well but they were asking for root password so I switched to su-exec instead. I needed to elevate privilege because crond does not run properly without starting it as root. This container will be run in Kubernetes.

Is there a better way to do this?

like image 418
Ryklon Zen Avatar asked Aug 31 '25 15:08

Ryklon Zen

2 Answers

crond is now running as myuser after following the answer below.

https://github.com/gliderlabs/docker-alpine/issues/381#issuecomment-621946699

Dockerfile

FROM alpine:latest

USER root

RUN apk update \
    && apk upgrade \
    && apk --no-cache add dcron libcap

RUN groupadd -r -g 2001 myuser \
    && useradd -r -u 1001 -g myuser myuser

RUN mkdir /home/myuser \
    && chown myuser /home/myuser

RUN chown myuser:myuser /usr/sbin/crond \
    && setcap cap_setgid=ep /usr/sbin/crond

COPY --chown=myuser:myuser cronjob /home/myuser/cronjob
RUN crontab /home/myuser/cronjob

COPY --chown=myuser:myuser entrypoint.sh /home/myuser/entrypoint.sh

USER myuser

WORKDIR /home/myuser
ENTRYPOINT["./entrypoint.sh"]

entrypoint.sh

#!/bin/sh

# Start cron daemon.
crond -b -l 8

# Start application.
like image 153
Ryklon Zen Avatar answered Sep 02 '25 05:09

Ryklon Zen

With alpine 3.18, we added a cron task that is run by the foo user:

# run script as foo
0 4 * * * /bin/su -c '/usr/local/bin/php [command] >> /tmp/cron.log' - foo

(source for the usage of su)

This is used in the context of Docker, so we have this configuration:

  • in the Dockerfile: 
    ADD cron /etc/cron.d/app-cron
    (cron is the script shown above)
  • in the entrypoint script: 
    # start cron in background
crond -b &

crond will call the script every day at 4:00, and the script will run the command as foo.

like image 25
A.L Avatar answered Sep 02 '25 06:09

A.L
Sign in to Comment

Related questions

Docker: Does container inherit /etc/hosts from docker host?
Why do I need sklearn in docker container if I already have the model as a pickle?
Health check - web
Docker: Map external to internal user (howto apply '--user', howte execute .bashrc)?
Software Bill of materials for docker image

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!