58

Looking at this Dockerfile it starts with:

FROM sequenceiq/pam:centos-6.5
MAINTAINER SequenceIQ

USER root

Now that seems redundant, since by default you'd already be root. But for argument's sake - let's look at the parent Dockerfile....that doesn't change the user.

Now let's look at the grandparent Dockerfile. (It doesn't seem to be available).

My question is: Is it redundant in a Dockfile to run USER root since you're already root?

buddemat
  • 4,552
  • 14
  • 29
  • 49
hawkeye
  • 34,745
  • 30
  • 150
  • 304

3 Answers3

44

Yes, it's redundant, but there's almost no downside to leaving this redundancy in. This may have been done to develop against other images, or to support uses that may swap out the base image. It could be done to prevent future issues if the upstream image changes it's behavior. Or they may just want to be explicit so it's clear this container needs to run commands as root.

This assumes that you have verified that the base image is running as root (as the OP has done). For others with this question, if you run:

docker image inspect --format '{{.Config.User}}' $base_image_name

and see anything other than an empty string or root, then you need USER root to change the user for tasks that require that access (e.g. installing packages, changing filesystem permissions, and writing files in folders not owned by your user). After performing those steps (in separate RUN lines) be sure to change back to the non-privileged user in your released image with another USER youruser line.

BMitch
  • 231,797
  • 42
  • 475
  • 450
42

If an image was generated from a source that changed root to a user, you may not have access to all resources inside it. However, if you load the image:

FROM xxxxxx/xxxxxx:latest
USER root

That will give you root access to the images resources. I just used that after being refused access to change /etc/apt/sources.list in an existing image that was not mine. It worked fine and let me change the sources.list

user3815645
  • 521
  • 4
  • 2
  • 7
    this is actually very useful in most of my containers as I always use a base image i didn't generate. If you need to install packages in a elastic image (ElasticSearch, Logstash or Kibana) this is the way to go. – kriztean Nov 27 '18 at 10:28
10

if you are already root, then it's redundant to use it.

As @BMitch also points out, you can use USER root to ensure you are not going to break things if the parent image changes the user in upcoming versions, among other things.

It actually depends on the image. In some images, such as grafana/grafana, the default user is not root and there is no sudo. Thus you must use USER root for any privileged task (e.g., updating and installing apps via apt).

ruasoliveira
  • 192
  • 1
  • 11