Using non root users to perform scripting operations in docker containers

After the application is containerized, when the docker container is started, the root user executes the command by default, so the applications in the container are all run by root user by default, which has high security risks. So how can we use non-root business users to run the application?

I will give a simple example below to illustrate.

This example uses a self-built user in the container to run a simple shell script and persist the script output log outside the container. Next, let's look at the whole process from mirroring to container running.

1. Build a mirror image:

I will use dockerfile to build the image, with ubuntu 14.04 as the base image (you need to pull the image first, docker pullubuntu: 14.04). dockerfile reads as follows

[root@host09 test]# cat Dockerfile
FROMdocker.io/ubuntu:14.04 
MAINTAINER hepengfei

RUN groupadd hpf -- Create a user group 
RUN useradd -d /data -g hpf -mhpf -- Create a user 
RUN su - hpf -c "mkdir -p /data/scripts" 
RUN su - hpf -c "mkdir -p /data/logs"
WORKDIR /data/scripts
COPY test.sh /data/scripts/
RUN chown hpf:hpf test.sh
RUN chmod 755 test.sh

ENTRYPOINT su - hpf -c "/data/scripts/test.sh" -- Use the created user to run the script 
[root@host09 test]#

The script reads as follows:

[root@host09 test]# cattest.sh
while [ 1 = 1 ]
do
echo `id`>>/data/logs/hpf.log -- Output the log to a file and persist it when starting the container 
sleep 1
done
[root@host09 test]#

Next, let's build the mirror image:

[root@host09 test]# dockerbuild -t hpf:v2 .
Sending build context to Docker daemon 3.072 kB
Step 1 : FROM docker.io/ubuntu:14.04
 ---> c69811d4e993
Step 2 : MAINTAINER hepengfei
 ---> Using cache
 ---> b8401d2eb439
Step 3 : RUN groupadd hpf
 ---> Using cache
 ---> 2e0d20802c41
Step 4 : RUN useradd -d /data -g hpf -m hpf
 ---> Using cache
 ---> bac36ee97aba
Step 5 : RUN su - hpf -c "mkdir -p /data/scripts"
 ---> Using cache
 ---> a92c3f5f8e34
Step 6 : RUN su - hpf -c "mkdir -p /data/logs"
 ---> Using cache
 ---> 2e8665da7092
Step 7 : WORKDIR /data/scripts
 ---> Using cache
 ---> 7cf84a5a8aca
Step 8 : COPY test.sh /data/scripts/
 ---> 7e4c24de2096
Removing intermediate container f96358d91c35
Step 9 : RUN chown hpf:hpf test.sh
 ---> Running in fc9ab290c56c
 ---> f38afd1ea62c
Removing intermediate container fc9ab290c56c
Step 10 : RUN chmod 755 test.sh
 ---> Running in a35b507a1527
 ---> 5b5223249f4c
Removing intermediate container a35b507a1527
Step 11 : ENTRYPOINT su - hpf -c "/data/scripts/test.sh"
 ---> Running in 1ee7cc7fbec7
 ---> 26e7d603dbac
Removing intermediate container 1ee7cc7fbec7
Successfully built 26e7d603dbac
[root@host09 test]#

View the image you built:

[root@host09 test]# docker images
REPOSITORY   TAG    IMAGEID   CREATED   SIZE
hpf    v2     26e7d603dbac  42 minutesago  188.3 MB
docker.io/ubuntu 14.04    c69811d4e993  3 weeksago  188 MB
[root@host09 test]#

2. Start the container:

Note that before starting the container, you need to change the permissions of the/data/hepf/log directory on the host machine. Otherwise, when the container starts, the logs in the script will not have permission to write to this directory, so I directly changed the permissions of this directory to 777.

[root@host09 test]#chmod 777/data/hepf/log

[root@host09 test]# docker run -it -v/data/hepf/log:/data/logs hpf:v2

Now look at the log files in the/data/hepf/log directory:

[root@host09 log]# pwd
/data/hepf/log
[root@host09 log]# ll
total 12
-rw-rw-r-- 1 1000 1000 10800Sep 7 08:02 hpf.log
[root@host09 log]# tail -2 hpf.log
uid=1000(hpf) gid=1000(hpf) groups=1000(hpf)
uid=1000(hpf) gid=1000(hpf) groups=1000(hpf)
[root@host09 log]#

As you can see, the owner of this file is the same as the hpf user created in the container:

hpf@ba688af3f598:~$ id
uid=1000(hpf) gid=1000(hpf) groups=1000(hpf)
hpf@ba688af3f598:~$

If there are other users on the host machine like the id1 of the user created in the container, the log file owner on the host machine will become that user, but no problems have been found for the time being.

[root@host09 log]# cat /etc/passwd |grep hpf1
hpf1:x:1000:1000::/data1:/bin/bash[root@host09 log]# ll
total 12
-rw-rw-r-- 1 hpf1 hpf1 11250 Sep 7 08:50hpf.log
[root@host09 log]#

That's the end of the simple example.

Supplementary knowledge: docker default storage and docker non-root users

Method 1

sudo docker info grep "Docker Root Dir"

Stop the Docker service first:

systemctl restart docker

Or

service docker stop

Then move the entire the/var/lib/docker directory to the destination path:

mv /var/lib/docker /root/data/docker

ln -s /root/data/docker /var/lib/docker

Method 2

The configuration file of Docker can set most of the daemon parameters, and it is stored in different operating systems. The location in Ubuntu is:/etc/default/docker, and the location in CentOS is:/etc/sysconfig/docker.

If it is CentOS, add the following line:

OPTIONS=graph= "/root/data/docker" selinux-enabled-H fd://

If it is Ubuntu, add the following line (because Ubuntu does not turn on selinux by default):

OPTIONS=graph= "/root/data/docker"-H fd://

Or

DOCKER_OPTS= "-g/root/data/docker"

1. First, create docker user group. If docker user group exists, it can be ignored

sudo groupadd docker

2. Add users to the docker group

sudo gpasswd -a ${USER} docker

3. Restart docker

sudo service docker restart

4. If the ordinary user executes the docker command, if the get … … ES196unix/var/run/docker. sock authority is insufficient, then the var/run/docker. sock authority is modified

Using root, the user executes the following command to

sudo chmod a+rw /var/run/docker.sock