How to start crond as non-root user in a Docker Container?

Question

I am using the below Dockerfile and entrypoint.sh. I need to start the crond service in the container as a non-root user but I get Permission denied. How do I start the crond service as a non-root user?

I need have USER in Dockerfile as it is a mandatory admin setting in my Openshift 3 Platform.

Dockerfile

FROM centos:centos7.4.1708
RUN yum update -y && yum install -y cronie && rm -rf /var/lib/apt/lists/*
RUN cd / && mkdir /code
ADD entrypoint.sh /code/
RUN chmod -R 755 /code/entrypoint.sh
ENTRYPOINT ["/code/entrypoint.sh"]
RUN useradd -l -u 1001510000 -c "1001510000" 1001510000
USER 1001510000
CMD ["top"]

entrypoint.sh

#!/bin/bash
echo "in the entrypoint!"
echo "executing id"
id
echo "executing crond start"
crond start
echo "executing $@"
$@

Error Output

in the entrypoint!
executing id
uid=1001510000(1001510000) gid=1000(1001510000) groups=1000(1001510000)
executing crond start
crond: can't open or create /var/run/crond.pid: Permission denied
executing top

Raoslaw Szamszur · Answer 1 · 2018-11-02T19:36:15.160

2

First of all crond has to invoke commands on behalf of other users. How could it do that without being run by root? Even if somehow you will run this demon process with this user there is a high probability that it will lack other permissions in order to run certain commands.

But I guess you can try, maybe this will help:

Your user simply doesn't have permissions as error log says. If you want to try run as non-root user create group lets say crond-users and change /var/run/crond.pid group from root to crond-users. Last but not least add your user to crond-users group. Like so:

RUN groupadd crond-users && \
    chgrp crond-users /var/run/crond.pid && \
    usermod -a -G crond-users 1001510000

Hitn 1

Moreover, docker default entrypoint is /bin/bash -c but does not have a default command. So your Dockerfile could look like this:

FROM centos:centos7.4.1708
RUN yum update -y && yum install -y cronie && rm -rf /var/lib/apt/lists/* && \
    cd / && mkdir /code && \
    chmod -R 755 /code/entrypoint.sh && \
    useradd -l -u 1001510000 -c "1001510000" 1001510000 && \
    addgroup crond-users && \
    chgrp crond-users /var/run/crond.pid && \
    usermod -a -G crond-users 1001510000

ADD entrypoint.sh /code/
USER 1001510000

CMD ["/code/entrypoint.sh", "top"]

Hint 2.

Try avoiding using multiple times the same Dockerfile instruction (In your case you had 4x RUN). Each instruction is a separate layer in later build image. This is known Dockerfile best practice.

Minimize the number of layers In older versions of Docker, it was important that you minimized the number of layers in your images to ensure they were performant. The following features were added to reduce this limitation:

In Docker 1.10 and higher, only the instructions RUN, COPY, ADD create layers. Other instructions create temporary intermediate images, and do not directly increase the size of the build.

edited Nov 02 '18 at 19:36

answered Nov 01 '18 at 15:23

Raoslaw Szamszur

1,723
12
21

3

`/var/run/crond.pid` is not created until `crond start` is executed, so `chgrp crond-users /var/run/crond.pid` fails with below error `chgrp: cannot access '/var/run/crond.pid': No such file or directory` @raoslaw – MajorXbox Nov 01 '18 at 16:14
@MajorXbox Shieeet :( I didn't occur to me that this file is created dynamically. Well, you can always to the same for folder `/run` instead of file. But remember to do it on `/run` because `/var/run` is only linked to this folder (at least in my case). – Raoslaw Szamszur Nov 01 '18 at 18:58
1

`/var/run` is linked in my case too. But `chgrp` on `/run` didnt work either. – MajorXbox Nov 02 '18 at 14:04
@MajorXbox please look at the edit. For me, your case works fine. I'm afraid I cannot reproduce. – Raoslaw Szamszur Nov 02 '18 at 16:20
If you see, there is no `crond` process started even though it is in `entrypoint.sh`. To see the error, try `docker run` without `-d`. --> build: `docker build -t crond:1 .` --> run: `d run -it --name crond crond:1` – MajorXbox Nov 02 '18 at 16:26
@MajorXbox I feel stupid now. I was expecting an error during container run process. Anyways I was thinking `crond` has to invoke commands on behalf of other users. How could it do that without being run by `root`? Even if somehow you will run this demon process with this user there is a high probability that it will lack other permissions in order to run certain commands. – Raoslaw Szamszur Nov 02 '18 at 19:35
1

you are right on `crond` needing other permissions. Also tried daemon process and starting process on restart commands with same errors. Anyways, I moved away from using `crond`. Thanks for checking this out. – MajorXbox Nov 03 '18 at 14:23

Daein Park · Answer 2 · 2018-11-01T15:11:05.033

-2

How about build again according with OpenShift Container Platform-Specific Guidelines ? Such as related uid and gid.

edited Nov 01 '18 at 15:11

answered Nov 01 '18 at 14:59

Daein Park

4,393
2
12
21

How to start crond as non-root user in a Docker Container?

2 Answers2

Linked