docker - Trying to build a container that will run as a non-root - Stack Overflow

admin管理员组

文章数量:1334367

I'm trying to create an image (Ubuntu) that will build my code. I hope the container will run as a non-root (jenkins). The host and the container share the source directory. The container will read source code, and generate some artifacts as builds do. Here is (a readable version of) my docker file:

FROM ubuntu:24.04
USER root

RUN apt-get update -y
RUN apt-get install sudo useradd adduser -y

RUN useradd -ms /bin/bash builder | chpasswd
RUN adduser builder sudo
RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

USER jenkins
RUN mkdir -p /home/builder/workspace
WORKDIR /home/builder/workspace

I'm building the image with: docker build --tag build .

The image contains a new user called builder, with uid 1001. On the host, the user id can be anything but 1001.

$ docker run build id
uid=1001(builder) gid=1001(builder) groups=1001(builder),27(sudo)

$ id
uid=1000(myname) gid=1000(myname) groups=1000(myname),....,27(sudo),124(docker)

I'm running this image sharing my source code directory)

docker run -it -v /home/myname/workspace:/home/builder/workspace -w /home/builder/workspace build

Finally, inside the container I'm hoping to do a build. I'm getting access denied:

builder@95cfd88194e0:~/workspace$ touch x
touch: cannot touch 'x': Permission denied

This is expected, because user builder is unknown at the host. I'm trying various things - all with no success.

1. The amazing thing is that this is a regression. Had the first of the Docker file was FROM ubuntu:20.04, it is working without a problem. What happened between 20.04 and 24.04?
2. I tried to create user builder on the host, and add this user to my group: adduser builder myname.
3. I can get some write wroking , if the uid on the host matches the uid in the container. I do that with useradd -ms /bin/bash -uid 1200 | chpasswd on both the container and the host, and if the volume I'm sharing is on /home/builder on the host. This is very unconvinent, because I want to work on /home/myname

UPDATE

Following a comment from @DavidMaze (below), running the container with -u $(id u) does work with two problems:

1. The user is not in the sudoer group in the container. I'm not sure whether this is a problem or not.
2. If the id of the user on the host is unknown at the container (say 1005) then I've a weird prompt, and id returns root as the group:

I have no name!@0123456789ab:/my/path$ 
I have no name!@0123456789ab:/my/path$ id
uid=1005 gid=0(root) groups=0(root)

Giving a gid to the -u parameter of a group that doesn't exist on the container has also (other) error prompts.

本文标签： dockerTrying to build a container that will run as a nonrootStack Overflow