在jupyter dockerfile中创建非root用户

Question

I am starting with docker and built an image with jupyter and some python libraries. The end user should be able to use jupyter and access specific host data directories throught the container (read/write rights), but must be a non-root user. Here is my dockerfile so far:

FROM ubuntu:latest

RUN apt-get update && apt-get install -y \
python-pip

RUN pip install --upgrade pip && pip install jupyter \
pandas \
numpy

RUN useradd -r -g users A && \
mkdir /myhome && \
chown -R A:users /myhome

EXPOSE 8888

WORKDIR /myhome

CMD ["jupyter", "notebook", "--port=8888", "--no-browser", "--ip=0.0.0.0"]

I run this by doing docker run -it -p 8888:8888 -u="A" -v /some/host/files:/myhome

But then I got a jupyter error that says OSError: [Errno 13] Permission denied: '/home/A' Any help appreciated. Many thanks!

Answer 1

When you start your container with --entrypoint=bash, you will find that the home directory /home/A of your user has not been created. To do that, you need to add the -m flag to the useradd command

Some more info: You might want to take a look at the docker-stacks projects ( https://github.com/jupyter/docker-stacks/tree/master/base-notebook and derived images). That seems to match with what you're trying to do and adds some other helpful stuff. Eg when running a dockerized jupyter, you need a "PID 1 reaper"; otherwise your exited notebook kernels turn into zombies (you can google for that :-)

Also, when sharing host files with a non-root user inside the container, you will often need to set the UID of your container user to some specific value matching with the host system, so the file system permissions are properly matched. The docker-stacks containers support that too. Their Dockerfiles might at least help as a boilerplate to run your own.