How to add users to Docker container?
The trick is to use useradd
instead of its interactive wrapper adduser
.
I usually create users with:
RUN useradd -ms /bin/bash newuser
which creates a home directory for the user and ensures that bash is the default shell.
You can then add:
USER newuser
WORKDIR /home/newuser
to your dockerfile. Every command afterwards as well as interactive sessions will be executed as user newuser
:
docker run -t -i image
newuser@131b7ad86360:~$
You might have to give newuser
the permissions to execute the programs you intend to run before invoking the user command.
Using non-privileged users inside containers is a good idea for security reasons. It also has a few drawbacks. Most importantly, people deriving images from your image will have to switch back to root before they can execute commands with superuser privileges.
What is a clean way to add a user in Docker with sudo priviledges?
Generally you should think of a Docker container as a wrapper around a single process. If you ask this question about other processes, it doesn't really make sense. (How do I add a user to my PostgreSQL server with sudo privileges? How do I add a user to my Web browser?)
In Docker you almost never need sudo
, for three reasons: it's trivial to switch users in most contexts; you don't typically get interactive shells in containers (how do I get a directory listing from inside the cron daemon?); and if you can run any docker
command at all you can very easily root the whole host. sudo
is also hard to script, and it's very hard to usefully maintain a user password in Docker (writing a root-equivalent password in a plain-text file that can be easily retrieved isn't a security best practice).
In the context of your question, if you've already switched to some non-root user, and you need to run some administrative command, use USER
to switch back to root.
USER janedoe
...
USER root
RUN apt-get update && apt-get install -y some-package
USER janedoe
Since your containers have some isolation from the host system, you don't generally need containers to have the same user names or user IDs as the host system. The exception is when sharing files with the host using bind mounts, but there it's better to specify this detail when you start the container.
The typical practice I'm used to works like this:
In your Dockerfile, create some non-root user. It can have any name. It does not need a password, login shell, home directory, or any other details. Treating it as a "system" user is fine.
FROM ubuntu:18.04
RUN adduser --system --group --no-create-home appuserStill in your Dockerfile, do almost everything as root. This includes installing your application.
RUN apt-get update && apt-get install ...
WORKDIR /app
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY . .When you describe the default way to run the container, only then switch to the non-root user.
EXPOSE 8000
USER appuser
CMD ["./main.py"]Ideally that's the end of the story: your code is built into your image and it stores all of its data somewhere external like a database, so it doesn't care about the host user space at all (there by default shouldn't be
docker run -v
or Docker Composevolumes:
options).If file permissions really matter, you can specify the numeric host user ID to use when you launch the container. The user doesn't specifically need to exist in the container's
/etc/passwd
file.docker run \
--name myapp \
-d \
-p 8000:8000 \
-v $PWD:/data \
-u $(id -u) \
myimage
How do I add the local users to my docker container?
You would have to mount all relevant linux files using -v
like /etc/passwd
, /etc/shadow
, /ect/group
, and /etc/sudoers
. Though I can't recommend this due to the security risks, if anyone gets root access in the container they can add users on the host or change passwords since he mount works both ways.
The list of files is not exhaustive, for example, you have to also make sure the shell exacutables exist within the container. When testing this I had to make a symbolic link from /usr/bin/zsh
to /bin/bash
for example since my user has the zsh shell configured which was not present in the docker image.
If you want to use these users to interact with mounted files, you also have to make sure that user namespace remapping is disabled, or specify that you want to use the same user namespace as the host with the --userns=host
flag. Again, not recommended since it is a security feature, so use with care.
Note: Once you have done all this you can use su - {username}
to switch to all your existing users. The -u
options doesn't work since docker checks the /etc/passwd
file before mounting and will give an error.
How to add user with dockerfile?
Use useradd
instead of its interactive adduser
to add user.
RUN useradd -ms /bin/bash vault
Below command will not create user .
USER vault
WORKDIR /usr/local/bin/vault
it will use vault
user
please Refer Dockerfile User Documentation
The USER instruction sets the user name or UID to use when running the
image and for any RUN, CMD and ENTRYPOINT instructions that follow it
in the Dockerfile.
NOTE : Ensures that bash
is the default shell.
If default shell is /bin/sh
you can do like:
RUN ln -sf /bin/bash /bin/sh
RUN useradd -ms /bin/bash vault
Create a user on the docker host from inside a container
When you mount an individual file, you end up mounting the inode of that file with the bind mount. And when you write to the file, many tools create a new file, with a new inode, and replace the existing file with that. This avoids partial reads, and other file corruption risks if you were to modify the file in place.
What you are attempting to do is likely a very bad idea, it's the very definition of a container escape, allowing the container to setup credentials on the host. If you really need host access, I'd mount the folder in a different location because containers have other files that are automatically mounted in /etc. So you could say /etc:/host/etc
and access the files in the container under /host/etc
. Just realize that's even a larger security hole.
Note, if the entire goal is to avoid permission issues between the host and the container, there are much better ways to do this, but that would be an X-Y problem.
How to use one docker image for multiple users with their system login $USER inside docker container when the user runs the docker image?
There is nothing you can do in terms of creating your image that will automatically expose the username of the user running the container inside the container. You can only do that by providing appropriate command line arguments when you start a container.
You'll need to provide either documentation or a wrapper script that applies the appropriate docker run
command line arguments:
docker run -v /etc/passwd:/etc/passwd -v /etc/group:/etc/group -u $UID -e UID -e USER yourimage ...
Depending on what you're trying to accomplish you may need to also expose the user's home directory:
docker run -it -v /etc/passwd:/etc/passwd -v /etc/group:/etc/group -u $UID -v $HOME:$HOME -e HOME -e UID -e USER -w $HOME yourimage ...
Related Topics
How to Convert Hex to Ascii Characters in the Linux Shell
What Happens If You Use the 32-Bit Int 0X80 Linux Abi in 64-Bit Code
Multiple Glibc Libraries on a Single Host
How Do So_Reuseaddr and So_Reuseport Differ
Save Modifications in Place With Awk
How to Convert Dos/Windows Newline (Crlf) to Unix Newline (Lf)
How to Keep Environment Variables When Using Sudo
How to Store a Command in a Variable in a Shell Script
How to Grep For Contents After Pattern
How to Get Cron to Call in the Correct Paths
How to Change the Output Color of Echo in Linux
How to Send a File as an Email Attachment Using Linux Command Line
How to Compare Two Strings in Dot Separated Version Format in Bash
How to Turn Off Echo While Executing a Shell Script Linux
Linux: Find File Names With 4 or 5 Characters
How to Reload Google Chrome Tab from Terminal
How to Tar a Directory Without Retaining the Directory Structure