Menu
I am using the below Dockerfile and entrypoint.sh. I need to start the crond service in the container as a non-root user but I get Permission denied. How do I start the crond service as a non-root user?
I need have USER in Dockerfile as it is a mandatory admin setting in my Openshift 3 Platform.
Dockerfile
FROM centos:centos7.4.1708
RUN yum update -y && yum install -y cronie && rm -rf /var/lib/apt/lists/*
RUN cd / && mkdir /code
ADD entrypoint.sh /code/
RUN chmod -R 755 /code/entrypoint.sh
ENTRYPOINT ["/code/entrypoint.sh"]
RUN useradd -l -u 1001510000 -c "1001510000" 1001510000
USER 1001510000
CMD ["top"]
entrypoint.sh
#!/bin/bash
echo "in the entrypoint!"
echo "executing id"
id
echo "executing crond start"
crond start
echo "executing $@"
$@
Error Output
in the entrypoint!
executing id
uid=1001510000(1001510000) gid=1000(1001510000) groups=1000(1001510000)
executing crond start
crond: can't open or create /var/run/crond.pid: Permission denied
executing top
501
After the user is done with the crontab, the file is saved in /var/spool/cron/* for each user. Scheduled jobs will be run as the user, with the user's permissions not as root .
The root user crontab Like any other user, root has a user crontab. Essentially the same as any other user crontab, you are editing the root crontab when you run sudo crontab -e . Jobs scheduled in the root user crontab will be executed as root with all of its privileges.
Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime. Rootless mode does not require root privileges even during the installation of the Docker daemon, as long as the prerequisites are met.
First of all crond has to invoke commands on behalf of other users. How could it do that without being run by root? Even if somehow you will run this demon process with this user there is a high probability that it will lack other permissions in order to run certain commands.
But I guess you can try, maybe this will help:
Your user simply doesn't have permissions as error log says. If you want to try run as non-root user create group lets say crond-users and change /var/run/crond.pid group from root to crond-users. Last but not least add your user to crond-users group.
Like so:
RUN groupadd crond-users && \
chgrp crond-users /var/run/crond.pid && \
usermod -a -G crond-users 1001510000
Hitn 1
Moreover, docker default entrypoint is /bin/bash -c but does not have a default command. So your Dockerfile could look like this:
FROM centos:centos7.4.1708
RUN yum update -y && yum install -y cronie && rm -rf /var/lib/apt/lists/* && \
cd / && mkdir /code && \
chmod -R 755 /code/entrypoint.sh && \
useradd -l -u 1001510000 -c "1001510000" 1001510000 && \
addgroup crond-users && \
chgrp crond-users /var/run/crond.pid && \
usermod -a -G crond-users 1001510000
ADD entrypoint.sh /code/
USER 1001510000
CMD ["/code/entrypoint.sh", "top"]
Hint 2.
Try avoiding using multiple times the same Dockerfile instruction (In your case you had 4x RUN). Each instruction is a separate layer in later build image. This is known Dockerfile best practice.
Minimize the number of layers In older versions of Docker, it was important that you minimized the number of layers in your images to ensure they were performant. The following features were added to reduce this limitation:
In Docker 1.10 and higher, only the instructions RUN, COPY, ADD create layers. Other instructions create temporary intermediate images, and do not directly increase the size of the build.
115
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
