ENTRYPOINT: first run command as root, then start shell for non-root user

Question

I'm writing a Dockerfile for an image that, when run, performs the following two things in order:

1. Start up a daemon as root
2. Start up an interactive shell as a non-root user

The problem is that ENTRYPOINT can only be run as a single user (whichever USER is set last before ENTRYPOINT in the Dockerfile). In this case, the ENTRYPOINT can only run as either root or the non-root user.

I can't put CMD commands before ENTRYPOINT, because they just get overridden by ENTRYPOINT.

How can I accomplish what I need?

Answer 1

You start your container as root. This runs your entrypoint as root. Perform all the steps you need, then make the last step look like:

exec gosu username /bin/bash

To launch /bin/bash as the user username. You can find gosu in this github repo. It has the advantage of running an su command with an implicit exec which avoids leaving the parent process around which can break signal handling.

If you make /bin/bash the value of CMD, you can make this more flexible with:

exec gosu username "$@"

Make sure to use the JSON syntax for ENTRYPOINT and CMD to avoid issues with the merged commands and cli args.

This is preferable over sudo since it avoids any option to go back from the user to root.