How do I create a user with sudo privilege in a Dockerfile and start the container with that user (rather than root)?
The problem I am running into is that sudo does not work since the host is not in /etc/hosts. The user cannot edit /etc/hosts since it does not have sudo privileges …
I’ve tried to make /etc/hosts writeable by the new user, but this does not work since docker overwrites the file on container startup. I would rather avoid running CMD as root.
Hi, is there any reason you don’t want to run with the root user inside your container? If you don’t configure the container as privileged the user permissions are sandboxed within the container.
There are ways to add additional users within the container environment and you can set the default user within the container by setting the user flag on the service composition but as I mentioned it might not be worth the extra effort depending on what you are trying to achieve.
The container runs privileged. The app exposes a shell terminal to the user, and I prefer that to run with user privileges and password less sudo. I can give more details about the app.
There are ways to add additional users within the container environment
I am not sure I understand what you are referring to. I create the new user in the Dockerfile (RUN adduser ...) and then switch to it with USER newuser. The issue is that I cannot provide password free sudo to newuser since the host is not in /etc/hosts. newuser cannot add it (nor a script run by CMD ...) since it’s run under newuser.
I also need root (or sudo) to run the balena entrypoint for UDEV support.
The workaround I have is to run as root, and then switch to user in CMD running sudo -u (after adding the hostname to /etc/hosts. The problem with this approach is that exiting the shell (^D) drops into a root shell. Works - but super ugly.
Another option is to add the hostname in docker-compose.yml (extra_host). Trouble is that the hostname can be changed by the user (via a device variable) and hence is not known when the docker-compose.yml file is written. I also noticed that variable substitution in docker-compose.yml does not seem to work (not sure if this would help, anyway).
In case someone else has this issue, here is my solution:
I created a little c program that adds the hostname to /etc/hosts & set setuid in its permissions. Now I run this program during container configuration (once) before using sudo.
Hi again, thanks for sharing more about the use case. Sorry about the delay in the response.
As you already figured out, the way to do it is to (on the Dockerfile) perform all operations that require root operation first, and then change the user. Something like the following should work.
FROM balenalib/amd64-debian:buster
ENV DEBIAN_FRONTEND noninteractive
ARG USER=myuser
ARG UID=1000
ARG GID=100
ARG TINI=v0.18.0
# Install dependencies as default user
RUN install_packages sudo
# Set environment variables
ENV USER ${USER}
ENV HOME /home/${USER}
# Create user and setup permissions on /etc/sudoers
RUN useradd -m -s /bin/bash -N -u $UID $USER && \
echo "${USER} ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers && \
chmod 0440 /etc/sudoers && \
chmod g+w /etc/passwd
ENTRYPOINT ["entrypoint.sh"]
CMD ["bash"]
# Copy necessary files
COPY entrypoint.sh /usr/local/bin/
# Set workdir and switch back to non-root user
WORKDIR $HOME
USER ${UID}
I’m not sure how /etc/hosts affects the user login, if you have more information about it, that could be useful for other users as well.
Thank you