How to start crond as non-root user in a Docker Container?

前端 未结 2 729
滥情空心
滥情空心 2021-01-05 05:34

I am using the below Dockerfile and entrypoint.sh. I need to start the crond service in the container as a non-root user but I get

2条回答
  •  日久生厌
    2021-01-05 06:03

    First of all crond has to invoke commands on behalf of other users. How could it do that without being run by root? Even if somehow you will run this demon process with this user there is a high probability that it will lack other permissions in order to run certain commands.

    But I guess you can try, maybe this will help:

    Your user simply doesn't have permissions as error log says. If you want to try run as non-root user create group lets say crond-users and change /var/run/crond.pid group from root to crond-users. Last but not least add your user to crond-users group. Like so:

    RUN groupadd crond-users && \
        chgrp crond-users /var/run/crond.pid && \
        usermod -a -G crond-users 1001510000
    

    Hitn 1

    Moreover, docker default entrypoint is /bin/bash -c but does not have a default command. So your Dockerfile could look like this:

    FROM centos:centos7.4.1708
    RUN yum update -y && yum install -y cronie && rm -rf /var/lib/apt/lists/* && \
        cd / && mkdir /code && \
        chmod -R 755 /code/entrypoint.sh && \
        useradd -l -u 1001510000 -c "1001510000" 1001510000 && \
        addgroup crond-users && \
        chgrp crond-users /var/run/crond.pid && \
        usermod -a -G crond-users 1001510000
    
    ADD entrypoint.sh /code/
    USER 1001510000
    
    CMD ["/code/entrypoint.sh", "top"]
    

    Hint 2.

    Try avoiding using multiple times the same Dockerfile instruction (In your case you had 4x RUN). Each instruction is a separate layer in later build image. This is known Dockerfile best practice.

    Minimize the number of layers In older versions of Docker, it was important that you minimized the number of layers in your images to ensure they were performant. The following features were added to reduce this limitation:

    In Docker 1.10 and higher, only the instructions RUN, COPY, ADD create layers. Other instructions create temporary intermediate images, and do not directly increase the size of the build.

提交回复
热议问题