Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/dacrystal/docker-exec-as-user

Run a container as a non-root user
https://github.com/dacrystal/docker-exec-as-user

Last synced: about 10 hours ago
JSON representation

Run a container as a non-root user

Host: GitHub
URL: https://github.com/dacrystal/docker-exec-as-user
Owner: dacrystal
Created: 2020-05-08T22:50:30.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-05-09T12:27:13.000Z (over 4 years ago)
Last Synced: 2024-11-20T23:30:01.740Z (2 months ago)
Language: Shell
Size: 2.93 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# docker-exec-as-user

### TL;DR

## Build
#### Example of `Dockerfile` for `alpine` base image:
```dockerfile
FROM alpine # or any image based on "alpine"
COPY --from=dacrystal/exec-as-user /bin/su-exec.alpain /bin/su-exec
COPY --from=dacrystal/exec-as-user /docker-entrypoint.sh /docker-entrypoint.sh
ENTRYPOINT ["/docker-entrypoint.sh"]
```

#### Example of `Dockerfile` for other `Linux` base image:
```dockerfile
FROM ubuntu #centos or debian etc..
COPY --from=dacrystal/exec-as-user /bin/su-exec.linux64 /bin/su-exec
COPY --from=dacrystal/exec-as-user /docker-entrypoint.sh /docker-entrypoint.sh
ENTRYPOINT ["/docker-entrypoint.sh"]
```

## Usage

```sh
docker run [OPTIONS...] [-e USER=user] -e AS_USER=[:] [CMD...]
```

To run as current user:
```sh
docker run [OPTIONS...] -e USER=$(id -un) -e AS_USER=$(id -u):$(id -g) [CMD...]
```

Note: `USER` variable is default to `"user"`

----

### How?
Simply the `ENTRYPOINT` script will create a real user corresponding to `AS_USER` and switch to it using `su-exec`. Yes, that's it!

### Why not using `--user`?

`--user` option does not create a real user. That is to say:
- `user` does not exist in `/ets/passwd`. Some software fail if user is does not exist.
- `user` user is home-less. Again some software fail if user does not have a `${HOME}`!
- `user` is name-less. Same bla bla bla...

### Why one need to switch user in the first place?!
Due to the same reasons that `one` is reading this crap!

- My main user-case is for container(a build or CLI wrapper) that generate files on a mounted volume (`-v $PWD:/my-mount`). This will ensure the files have the right permissions.