Run Ubuntu Docker container as User with sudo access

Question

I'm trying to write a Dockerfile that creates a user with a home directory who is part of sudoers group and that launches the container as this user.

The problem I'm facing is that, from within the container, every command needs to be prepended sudo, which obviously creates permission issues for every file that's created.

My reasoning behind doing this is that I want a container that mimics a clean linux environment from which I can write install scripts for users.

Here is a copy of my Dockerfile so far:

FROM ubuntu:20.04
 
# Make user home
RUN mkdir -p /home/nick

# Create a nick  user
RUN useradd -r -d /home/nick -m -s /sbin/nologin -c "Docker image user" nick
# Add to sudoers
RUN usermod -a -G sudo nick
# Change ownership of home directory
RUN chown -R nick:nick $HOME
# Set password
RUN echo "nick:******" | chpasswd
# Install sudo
RUN apt-get -y update && apt-get -y install sudo

ENV HOME=/home/nick
WORKDIR $HOME

USER nick

Answer 1

I don't understand why this doesn't work:

FROM continuumio/miniconda3
# FROM --platform=linux/amd64 continuumio/miniconda3

MAINTAINER Brando Miranda "[email protected]"

RUN apt-get update \
  && apt-get install -y --no-install-recommends \
    ssh \
    git \
    m4 \
    libgmp-dev \
    opam \
    wget \
    ca-certificates \
    rsync \
    strace \
    gcc \
    rlwrap \
    sudo

# https://github.com/giampaolo/psutil/pull/2103

RUN useradd -m bot
# format for chpasswd user_name:password
RUN echo "bot:bot" | chpasswd
RUN adduser bot sudo

WORKDIR /home/bot
USER bot

# CMD /bin/bash

Answer 2

Having a container where you can run sudo as a regular user is helpful when you are unit testing install scripts, so here is what needs to happen.

1. Create a group for the user

2. Add the user in that group

3. Allow the user to use sudo

4. Install gpg in order to be able to run sudo apt update inside the container.

ubuntu:20.04, ubuntu:22.04 and continuumio/miniconda3

A minimal Docker image would be something like:

#FROM continuumio/miniconda3
#FROM ubuntu:22.04
FROM ubuntu:20.04

ARG ARG_USER_UID=1000
ARG ARG_USER_GID=1000
ARG ARG_USER_NAME=foo

ARG SUDO_USER_SCRIPT="add-sudoer-user.sh"

# For ubuntu, do not use dash.
RUN DEBIAN_FRONTEND=noninteractive apt update \
    && apt upgrade -y \
    && apt-get install -y \
    gpg \
    sudo \
    # Do not use dash, make /bin/sh symlink to bash instead of dash:
    && echo "dash dash/sh boolean false" | debconf-set-selections \
    && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash \
    # create the group
    && groupadd --non-unique --gid ${ARG_USER_GID} ${ARG_USER_NAME} \
    # create the user
    && useradd --non-unique --uid ${ARG_USER_UID} --gid ${ARG_USER_GID} --create-home --shell /bin/bash ${ARG_USER_NAME} \
    # don't prompt for password when using sudo
    && echo "${ARG_USER_NAME} ALL=(ALL:ALL) NOPASSWD: ALL" > "/etc/sudoers.d/allow-${ARG_USER_NAME}"

USER ${ARG_USER_NAME}
WORKDIR /home/${ARG_USER_NAME}
ENV PATH="$PATH"
SHELL ["/bin/bash", "-c"]
RUN source /etc/bash.bashrc

Build the image:

docker buildx build -t my_image .

Run the container:

docker run --rm --tty --interactive --volume $(pwd):/home/foo" my_image:latest /bin/bash

Then in the container you should be able to use sudo, for example:

sudo apt update

Ubuntu 24.04

The new base images now have by default a user named ubuntu with id 1000, the simplest way to handle this is to remove the user before doing anything else.

FROM ubuntu:noble-20250529
# new ubuntu base images now have by default a user named `ubuntu` with id 1000
# get rid of it please, the touch and chown are to prevent any error messages
RUN touch /var/mail/ubuntu && chown ubuntu /var/mail/ubuntu && userdel -r ubuntu

ARG ARG_USER_UID=1000
ARG ARG_USER_GID=1000
ARG ARG_USER_NAME=foo

ARG SUDO_USER_SCRIPT="add-sudoer-user.sh"

# For ubuntu, do not use dash.
RUN DEBIAN_FRONTEND=noninteractive apt update \
    && apt upgrade -y \
    && apt-get install -y \
    gpg \
    sudo \
    # Do not use dash, make /bin/sh symlink to bash instead of dash:
    && echo "dash dash/sh boolean false" | debconf-set-selections \
    && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash \
    # create the group
    && groupadd --non-unique --gid ${ARG_USER_GID} ${ARG_USER_NAME} \
    # create the user
    && useradd --non-unique --uid ${ARG_USER_UID} --gid ${ARG_USER_GID} --create-home --shell /bin/bash ${ARG_USER_NAME} \
    # don't prompt for password when using sudo
    && echo "${ARG_USER_NAME} ALL=(ALL:ALL) NOPASSWD: ALL" > "/etc/sudoers.d/allow-${ARG_USER_NAME}"

USER ${ARG_USER_NAME}
WORKDIR /home/${ARG_USER_NAME}
ENV PATH="$PATH"
SHELL ["/bin/bash", "-c"]
RUN source /etc/bash.bashrc