How to run a cron job as a non-root user and log the job's output?
The Alpine base images are based on a compact tool set called BusyBox and when you run crond
here you're getting the BusyBox cron and not any other implementation. Its documentation is a little sparse, but if you look at the crond source (in C) what you'll find is that there is not any redirection at all when it goes to run a job (see the non-sendmail version of start_one_job
); the job's stdout and stderr are crond's stdout and stderr. In Docker, since crond is the container primary process, that in turn becomes the container's output stream.
Anything that shows up in docker logs
definitionally went to stdout or stderr or the container's main process. If this cron implementation wrote your job's output directly there, there's nothing wrong or insecure with taking advantage of that.
In heavier-weight container orchestration systems, there is some way to run a container on a schedule (Kubernetes CronJobs, Nomad periodic jobs). You might find it easier and more consistent with these systems to set up a container that runs your job once and then exits, and then to set up the host's cron to run your container (necessarily, as root).
How To Run Cron As Non Root In Alpine
crond
is now running as myuser
after following the answer below.
https://github.com/gliderlabs/docker-alpine/issues/381#issuecomment-621946699
Dockerfile
FROM alpine:latest
USER root
RUN apk update \
&& apk upgrade \
&& apk --no-cache add dcron libcap
RUN groupadd -r -g 2001 myuser \
&& useradd -r -u 1001 -g myuser myuser
RUN mkdir /home/myuser \
&& chown myuser /home/myuser
RUN chown myuser:myuser /usr/sbin/crond \
&& setcap cap_setgid=ep /usr/sbin/crond
COPY --chown=myuser:myuser cronjob /home/myuser/cronjob
RUN crontab /home/myuser/cronjob
COPY --chown=myuser:myuser entrypoint.sh /home/myuser/entrypoint.sh
USER myuser
WORKDIR /home/myuser
ENTRYPOINT["./entrypoint.sh"]
entrypoint.sh
#!/bin/sh
# Start cron daemon.
crond -b -l 8
# Start application.
How to execute cron job as non-root user under Ubuntu inside Docker
So far this is the only thing that works in this setup:
FROM ubuntu:bionic
RUN apt-get -yqq update && apt-get -yqq install cron passwd openssl sudo
RUN groupadd -g 1000 hostuser && useradd -l -u 1000 -m -s /bin/bash -p $(openssl passwd -1 test1) -g hostuser hostuser
COPY hello-cron-root /etc/cron.d/hello-cron-root
RUN sudo chmod 0644 /etc/cron.d/hello-cron-root
RUN touch /var/log/cron.log
COPY cron.allow /etc/cron.allow
COPY hostuser-run /usr/local/bin/hostuser-run
RUN chmod +x /usr/local/bin/hostuser-run
CMD /usr/sbin/cron -L 15 && tail -f /var/log/cron.log
This is hostuser-run:
#!/usr/bin/env bash
sudo -H -s -u 'hostuser' echo "We are running as $USER"
This is the file hello-cron-root:
* * * * * root /usr/local/bin/hostuser-run >> /var/log/cron.log 2>&1
To summarize - given that only root cron jobs are working under docker to execute stuff under different user use helper script with sudo -u
.
Cron job not running automatically for a non-root user
The correct approach to run your cron every midnight is:
00 00 * * * /bin/bash path/to/your/script.sh >> /path/to/log/file.log
Related Topics
How to Install a Rpm Package and Its Dependencies Offline
Bash - Surround All Array Elements or Arguments with Quotes
Arm Inline Asm: Exit System Call with Value Read from Memory
Create a Virtual Floppy Image Without Mount
Find String Inside a Gzipped File in a Folder
How to Change the Mime Type of a File from the Terminal
What's the Practical Limit on the Size of Single Packet Transmitted Over Domain Socket
What Makes a Kernel/Os Real-Time
How to Setup and Clone a Remote Git Repo on Windows
How to Make Binary Distribution of Qt Application for Linux
Sub-Shell Differences Between Bash and Ksh
Get Parent Directory of a File in Bash
How to Create Opengl Context via Drm (Linux)