Unable to run entrypoint.sh when specifing a rootless user with docker arguments
kitsumed opened this issue · 9 comments
Describe the bug
Cannot specific a rootless docker user to run the repo due to entrypoint.sh access (root) requirement.
Error : /bin/sh: can't open '/root/entrypoint.sh': Permission denied
Seem to be due to how dockerfile generate the image.
To Reproduce
Steps to reproduce the behavior:
- Create a docker container / stack
- Set the docker user argument to a user & group without root permissions
Expected behavior
entrypoint.sh should be run by docker
Version (please complete the following information):
- Image Version: v2.33.0
- Docker Version: 24.0.5
Additional context
Not running the app with root is limiting in what you can do, however in my case, I does not need to run it as root, as such, I should be able to use a rootless user & group.
The user inside the container has to be root as otherwise it couldn't interact with the Docker socket being mounted from the outside. This is a key feature of this image so I think it's not really worth finding some smart configuration that allows for both as then people will try running the rootless version but expect it to be able to interact with Docker.
Also see #36
If you really need this, I think the easiest thing to do is create an image off this one where you shuffle around files and run with a different user. Be aware that you cannot use any Docker facing feature in this case.
In my current use case, I does not need to bind to a docker socket, making the use of a root user kind of useless. But I does understand your point.
Else you could detect if the entrypoint is running rootless and show a warning telling users that docker socket won't work.
If the entrypoint script was moved to /usr/bin
or similar, would that suffice to let you pass a different --user
to Docker?
If the entrypoint script was moved to
/usr/bin
or similar, would that suffice to let you pass a different--user
to Docker?
Might be worth trying it, I can't right now trought.
Hey @m90, I finally had the time to build a docker image and test it. The entry-point is indeed working as intended for non-root users with your version, however it seem like cron isn't able to start due to crontab: must be suid to work properly
.
I did quick searches and came across apk add --update busybox-suid
that could potentially fix the issue so I added it in the dockerbuild file and it did seem to have fixed the problem, trough it's now claiming crontab: unknown uid 1001
1001 beging the uid of the non-root user.
I did not try this, but maybe this helps https://stackoverflow.com/a/63110882/797194
Closing this as it's inactive and there doesn't really seem a clear path forward. If you need further help, feel free to reopen.
This is now possible as of v2.38.0.
Documentation is found here: https://offen.github.io/docker-volume-backup/how-tos/use-as-non-root.html