Unable to run entrypoint.sh when specifing a rootless user with docker arguments

Question

Unable to run entrypoint.sh when specifing a rootless user with docker arguments

kitsumed opened this issue a year ago · 9 comments

Describe the bug
Cannot specific a rootless docker user to run the repo due to entrypoint.sh access (root) requirement.
Error : /bin/sh: can't open '/root/entrypoint.sh': Permission denied
Seem to be due to how dockerfile generate the image.

To Reproduce
Steps to reproduce the behavior:

Create a docker container / stack
Set the docker user argument to a user & group without root permissions

Expected behavior
entrypoint.sh should be run by docker

Version (please complete the following information):

Image Version: v2.33.0
Docker Version: 24.0.5

Additional context
Not running the app with root is limiting in what you can do, however in my case, I does not need to run it as root, as such, I should be able to use a rootless user & group.

Answer 1 · 2023-09-10T18:21:37.000Z

The user inside the container has to be root as otherwise it couldn't interact with the Docker socket being mounted from the outside. This is a key feature of this image so I think it's not really worth finding some smart configuration that allows for both as then people will try running the rootless version but expect it to be able to interact with Docker.

Also see #36

If you really need this, I think the easiest thing to do is create an image off this one where you shuffle around files and run with a different user. Be aware that you cannot use any Docker facing feature in this case.

Answer 2 · 2023-09-10T18:30:58.000Z

In my current use case, I does not need to bind to a docker socket, making the use of a root user kind of useless. But I does understand your point.

Else you could detect if the entrypoint is running rootless and show a warning telling users that docker socket won't work.

Answer 3 · 2023-09-10T20:01:37.000Z

If the entrypoint script was moved to /usr/bin or similar, would that suffice to let you pass a different --user to Docker?

Answer 4 · 2023-09-11T04:09:11.000Z

If the entrypoint script was moved to /usr/bin or similar, would that suffice to let you pass a different --user to Docker?

Might be worth trying it, I can't right now trought.

Answer 5 · 2023-09-17T09:22:13.000Z

@kitsumed Not sure yet how/if this will be merged, but here's a PR that demonstrates what changes would need to be done in the Dockerfile to enable your use case #272 - maybe it helps you with deriving a custom Docker image from the existing one.

Answer 6 · 2023-09-23T00:45:10.000Z

Hey @m90, I finally had the time to build a docker image and test it. The entry-point is indeed working as intended for non-root users with your version, however it seem like cron isn't able to start due to crontab: must be suid to work properly.
I did quick searches and came across apk add --update busybox-suid that could potentially fix the issue so I added it in the dockerbuild file and it did seem to have fixed the problem, trough it's now claiming crontab: unknown uid 1001 1001 beging the uid of the non-root user.

Answer 7 · 2023-09-23T04:29:27.000Z

I did not try this, but maybe this helps https://stackoverflow.com/a/63110882/797194

Answer 8 · 2023-10-29T06:55:11.000Z

Closing this as it's inactive and there doesn't really seem a clear path forward. If you need further help, feel free to reopen.

Answer 9 · 2024-02-22T16:58:25.000Z

This is now possible as of v2.38.0.

Documentation is found here: https://offen.github.io/docker-volume-backup/how-tos/use-as-non-root.html