wshs0713's blog

Programming notes

0%

[Docker] Use non-root user in docker container

Posted on In Disqus:
2.7k 2 mins.

前言

在 docker 中,預設是使用 root user, 但這樣非常不安全,所以通常會在 docker 中另外建立 user,可以透過 --build-args 傳入當前使用者的 User ID 和 Group ID,將新增的 user 的 User ID 和 Group ID 設為當前使用者,最後使用 USER new_user 切換為 non-root user 再執行所需指令。

Dockerfile example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
ARG PYTHON_VERSION

FROM python:${PYTHON_VERSION}-slim-buster

ARG USER_ID
ARG GID
ARG PROJECT_DIR=/home/docker/api

# Set environment variable
ENV TZ=Asia/Taipei
ENV PATH="/home/docker:/home/docker/.local/bin:${PATH}"

# Create user
RUN groupadd -g $GID docker-users && \
    useradd -m --no-log-init -s /bin/bash -u $USER_ID -g $GID docker && \
    echo "docker:docker" | chpasswd && \
    adduser docker sudo

# Set timezone and install packages 
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone && \
    apt-get update && \
    apt-get install -y --no-install-recommends build-essential sudo curl locales tzdata && \
    apt-get clean && \
    apt-get autoremove

# Set locale
ENV LC_ALL=C.UTF-8
ENV LANG=C.UTF-8
ENV LANGUAGE=C.UTF-8

WORKDIR $PROJECT_DIR

# Copy code, install required packages, create log directory and change permission
COPY . .
RUN pip install -r ./requirements.txt && \
    mkdir -p ./logs && \
    chown -R $USER_ID:$GID .

USER docker
CMD ["uwsgi", "--ini", "/home/docker/api/config/uwsgi.ini"]

Build image and run container

Use docker command

Build image: 

1
2
3
4
$ docker build -t <image_name>:<version> \
    --build-arg USER_ID=$(id -u) \
    --build-arg GID=$(id -g) \
    --build-arg PYTHON_VERSION="3.8.7" .

Run container: 

1
2
3
4
$ docker run -d \
    [--name container_name] \
    [-v host_path:container_path] \
    <image_name>:<version>

ps. 須注意 volumes 的資料夾權限

User docker-compose

docker-compose.yml example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
version: "3.7"

services:
  api:
    restart: always
    image: api:${VERSION}
    container_name: api
    user: "${USER_ID}:${GID}"
    ports:
      - 9999:9999
    build:
      context: /home/user/workspace/api
      args:
        USER_ID: "${USER_ID}"
        GID: "${GID}"
        PYTHON_VERSION: "3.8.7"
    volumes:
      - /home/user/workspace/api/config:/home/docker/api/config
      - /home/user/logs/api:/home/docker/api/logs
    networks:
      - net
networks:
  net:
    name: net
    driver: bridge

Build image and run container:

1
$ USER_ID=$(id -u) GID=$(id -g) VERSION="1.0.0" docker-compose up --build -d api

ps. 須注意 volumes 的資料夾權限

References