How to use root user from a container?

how to get root access in docker container
docker run as user not root
docker why not use root
non root containers
run container as root kubernetes
ensure a user for the container has been created
dockerfile user
docker remove root user

I’m new to the docker and linux. I’m using windows 10 and got a github example to create a container with Centos and nginx. I need to use the root user to change the nginx.config. From Kitematic, I clicked on Exec to get a bash shell in the container and I tried sudo su – as blow:

  sh-4.2$ sudo su –  
  sh: sudo: command not found  

So, I tried to install sudo by below command:

sh-4.2$ yum install sudo -y  
Loaded plugins: fastestmirror, ovl  
ovl: Error while doing RPMdb copy-up:  
[Errno 13] Permission denied: '/var/lib/rpm/Installtid'  
You need to be root to perform this command.  

Then I ran su - , but I don’t know the password! How can I set the password?

sh-4.2$ su -  
Password: 

Then, from powershell on my windows I also tried:

PS C:\Containers\nginx-container> docker exec -u 0 -it 9e8f5e7d5013 bash 

but it shows that the script is running and nothing happened and I canceled it by Ctrl+C after an hour.

Some additional information:

Here is how I created the container:

PS C:\Containers\nginx-container> s2i build https://github.com/sclorg/nginx-container.git --context->dir=examples/1.12/test-app/ centos/nginx-112-centos7 nginx-sample-app

From bash shell in the container. I can get the os information as below:

sh-4.2$ cat /etc/os-release  
NAME="CentOS Linux"  
VERSION="7 (Core)"  
ID="centos"  
ID_LIKE="rhel fedora"  
VERSION_ID="7"  
PRETTY_NAME="CentOS Linux 7 (Core)"  
ANSI_COLOR="0;31"  
CPE_NAME="cpe:/o:centos:centos:7"  
HOME_URL="https://www.centos.org/"  
BUG_REPORT_URL="https://bugs.centos.org/"  

CENTOS_MANTISBT_PROJECT="CentOS-7"  
CENTOS_MANTISBT_PROJECT_VERSION="7"  
REDHAT_SUPPORT_PRODUCT="centos"  
REDHAT_SUPPORT_PRODUCT_VERSION="7"  

I would really appreciate if you can help me to fix these issues. Thanks!

Your approach is generally wrong. You should prepare the file outside the container an then let the Docker itself to change it.

There are several ways to achieve this.

  1. You can mount your file during startup:

    docker run -v /your/host/path/to/config.cfg:/etc/nginx/config.cfg ...

  2. You can copy the file into the container during building the container (inside Dockerfile):

    FROM base-name COPY config.cfg /etc/nginx/

  3. You can apply a patch to the config script (once again, a Dockerfile):

    FROM base-name ADD config.cfg.diff /etc/nginx/ RUN ["patch", "-N", "/etc/nginx/config.cfg", "--input=/etc/nginx/config.cfg.diff"]

For each method, there are lots of examples on StackOverflow.

Understanding root inside and outside a container, Do you run your containers as root, or as a regular user? to have thousands of UIDs at each users disposal for use inside of containers. If you want to run with a different user within the container, then use -u to select the user. When running in rootless mode, the root of the container is more powerful than non-root of the container, so it is still advisable to run as non-root in a rootless container.

You should read Docker's official tutorial on building and running custom images. I rarely do work in interactive shells in containers; instead, I set up a Dockerfile that builds an image that can run autonomously, and iterate on building and running it like any other piece of software. In this context su and sudo aren't very useful because the container rarely has a controlling terminal or a human operator to enter a password (and for that matter usually doesn't have a valid password for any user).

Instead, if I want to do work in a container as a non-root user, my Dockerfile needs to set up that user:

FROM ubuntu:18.04
WORKDIR /app
COPY ...
RUN useradd -r -d /app myapp
USER myapp
CMD ["/app/myapp"]

The one exception I've seen is if you have a container that, for whatever reason, needs to do initial work as root and then drop privileges to do its real work. (In particular the official Consul image does this.) That uses a dedicated lighter-weight tool like gosu or su-exec. A typical Dockerfile setup there might look like

# Dockerfile
FROM alpine:3.8
RUN addgroup myapp \
 && adduser -S -G myapp myapp
RUN apk add su-exec
WORKDIR /app
COPY . ./
ENTRYPOINT ["/app/docker-entrypoint.sh"]
CMD ["/app/myapp"]
#!/bin/sh
# docker-entrypoint.sh

# Initially launches as root
/app/do-initial-setup

# Switches to non-root user to run real app
su-exec myapp:myapp "$@"

Both docker run and docker exec take a -u argument to indicate the user to run as. If you launched a container as the wrong user, delete it and recreate it with the correct docker run -u option. (This isn't one I find myself wanting to change often, though.)

Root user or non-root user inside container - DockerEngine, Is it OK to run the app as user root inside the container? permission & owner with Volume between containers and host using a non root user. User root has no permission to cd to /u01/oracle. You can change the workdir like this:. docker exec -it --workdir /root--user root f296ce6cf879 bash 👍 4 🎉 2

I started the container on my local and turns out you don't need sudo you can do it with su that comes by default on the debian image

docker run -dit centos bash
docker exec -it 9e82ff936d28 sh
su

also you could try executing the following which defaults you to root:

docker run -dit centos bash
docker exec -it 9e82ff936d28 bash

never less you could create the Nginx config outside the container and just have it copy using docker container copy {file_path} {container_id}:{path_inside_container}

Processes In Containers Should Not Run As Root, Using this pattern, it's easy to run a container in the context of a user/group with the least privileges required. For example, I'll add that to my  The best solution is to use the –user option. It gives the ability to specify a uid that is the owner of a Docker container process. Using the –user option, you have to remember that it will override the user specified in Dockerfile. docker run --user 1000 -v /:/home/notImportantDir/ innocent-docker-image

Thanks everyone.

I think it's better to setup a virtualbox with Centos and play with nginx. Then when I'm ready and have a correct nginx.config, I can use Dockerfile to copy my config file.

VM is so slow and I was hoping that I can work in interactive shells in containers to learn and play instead of using a VM. do you have any better idea than virtualbox?

I tried

  docker run -dit nginx-sample-app bash  
  docker exec -u root -it 9e8f5e7d5013 bash  

And it didn't do anything , it stays in the below status: here

the same commands worked on debian image but not centos.

Docker containers with root privileges, A significant part of the IT world relies on Docker containers. They are easy to use & portable. But are they always good? Let's see how to use  All subsequent actions will be performed using that account. You can specify USER one line before the CMD or ENTRYPOINT if you only want to use that user when launching a container (and not when building the image). When you start a container from the resulting image, you will attach as the specified user.

How to use root user from a container?, Your approach is generally wrong. You should prepare the file outside the container an then let the Docker itself to change it. There are several  By default, root in a container is the same root (uid 0) as on the host machine. If a user manages to break out of an application running as root in a container, he may be able to gain access to

Do Not Run Dockerized Applications as Root, Docker provides a few methods of downgrading user privileges within a running container. We used one method above—simply using the -u flag  A user on a Docker host who has access to the docker group or privileges to sudo docker commands is effectively root (as you can do things like use docker to run a privilieged container or mount the root filesystem inside a container), which is why it's very important to control that right.

Just say no to root (in containers), An admin can override this, otherwise all user containers run without are privileged containers that can be installed on a system using the  The container start process can be changed to: CMD ["su", "-", "user", "-c", "/bin/bash"] This way, a bashshell will open as the user.

Comments
  • What happens when you explicitly specify the root user like below: ` docker exec -u root -it 9e8f5e7d5013 bash `