- #Docker run as root override user how to
- #Docker run as root override user update
- #Docker run as root override user code
#Docker run as root override user code
It is unusual that the application code in this case tried to create the home directory first. More typically application code trying to write files to a home directory would assume that the home directory at least would exist, so instead it would fail when trying to create a file or subdirectory under the non existent home directory.
The user ‘www-data’ didn’t though have permissions to create a directory under ‘/var’. What happened this time is that since the home directory didn’t even exist, the Python code for the application tried to create it. PermissionError: Permission denied: '/var/www'
#Docker run as root override user update
The lack of a home directory means that even if we update the IPython Docker image to run as the ‘UserWarning: IPython parent '/var/line 237, in makedirs Touch: cannot touch '/var/www/magic': No such file or directory # exit $ docker run -rm -it debian:jessie sh Of these the ‘The problem with the ‘$ docker run -rm -it busybox sh Operator:x:37:37:Operator:/var:/bin/false Mail:x:8:8:mail:/var/spool/mail:/bin/false On the ‘busybox’ image, if we do that we find: root:x:0:0:root:/root:/bin/sh The simplest course one might choose is to look at what system users an operating system pre defines in the ‘/etc/passwd’ file. So if it is better to run as a non ‘root’ user, what user should that be?
Problem is that your typical users of the base image are even less likely to understand the consequences of running as ‘root’ and why you shouldn’t and so aren’t going to revert to a non ‘root’ user in their derived image either if you haven’t provided some pointer to what best practice is.
One can easily see how people might think this is annoying though and so not specify the ‘USER’ in the base image. Specifically, if the base image were finished up with a ‘USER’ statement for a non ‘root’ user, when creating a derived image the first thing that anyone would need to do if they wanted to make system changes would be to use ‘USER root’ to switch back to being the ‘root’ user. This is either done through ignorance that one shouldn’t really run Docker containers as ‘root’ unless you genuinely have a need to, or because they anticipate that the Docker image may later possibly be used as a base image and so perhaps don’t want to make it too difficult for it to be used in that way. Unfortunately many images do not close out the ‘Dockerfile’ by specifying a ‘USER’ statement for a non ‘root’ user. Normally you would place this towards the end of the ‘Dockerfile’ so that prior ‘RUN’ steps within the ‘Dockerfile' can still run with the default ‘root’ privileges. If you are building a Docker image yourself, you can specify that it should run as a particular user by including the ‘USER’ statement in the ‘Dockerfile’. Lets now dig more into the ways that a Docker container can be made to not run as the ‘root’ user. The problem occurred because the ‘jupyter/notebook’ expects to run as the ‘root’ user, but OpenShift doesn’t permit that by default due to the increased security risks from allowing that with how Docker currently works.Ĭhanges are supposedly coming for Docker, in the way of support for user namespaces, which would reduce the security risks, but right now, and perhaps even when support for user namespaces is available, it is simply better that you do not run Docker containers as ‘root’. PermissionError: Permission denied: '/.jupyter' File "/usr/lib/python3.4/os.py", line 237, in makedirs " using a temp directory.".format(parent)) usr/local/lib/python3.4/dist-packages/IPython/paths.py:69: UserWarning: IPython parent '/' is not a writable location, using a temp directory. The error we encountered was: $ oc logs -previous notebook-1-718ce
#Docker run as root override user how to
In the first post of this series looking at how to get IPython running on OpenShift I showed how taking the ‘jupyter/notebook’ Docker image and trying to use it results in failure.