如何从容器使用root用户？

Question

I'm new to the docker and linux.
I'm using windows 10 and got a github example to create a container with Centos and nginx.
I need to use the root user to change the nginx.config.
From Kitematic, I clicked on Exec to get a bash shell in the container and I tried sudo su – as blow:

  sh-4.2$ sudo su –  
  sh: sudo: command not found  

So, I tried to install sudo by below command:

sh-4.2$ yum install sudo -y  
Loaded plugins: fastestmirror, ovl  
ovl: Error while doing RPMdb copy-up:  
[Errno 13] Permission denied: '/var/lib/rpm/Installtid'  
You need to be root to perform this command.  

Then I ran su - , but I don't know the password! How can I set the password?

sh-4.2$ su -  
Password: 

Then, from powershell on my windows I also tried:

PS C:\Containers\nginx-container> docker exec -u 0 -it 9e8f5e7d5013 bash 

but it shows that the script is running and nothing happened and I canceled it by Ctrl+C after an hour.

Some additional information:

Here is how I created the container:

PS C:\Containers\nginx-container> s2i build https://github.com/sclorg/nginx-container.git --context->dir=examples/1.12/test-app/ centos/nginx-112-centos7 nginx-sample-app

From bash shell in the container. I can get the os information as below:

sh-4.2$ cat /etc/os-release  
NAME="CentOS Linux"  
VERSION="7 (Core)"  
ID="centos"  
ID_LIKE="rhel fedora"  
VERSION_ID="7"  
PRETTY_NAME="CentOS Linux 7 (Core)"  
ANSI_COLOR="0;31"  
CPE_NAME="cpe:/o:centos:centos:7"  
HOME_URL="https://www.centos.org/"  
BUG_REPORT_URL="https://bugs.centos.org/"  

CENTOS_MANTISBT_PROJECT="CentOS-7"  
CENTOS_MANTISBT_PROJECT_VERSION="7"  
REDHAT_SUPPORT_PRODUCT="centos"  
REDHAT_SUPPORT_PRODUCT_VERSION="7"  

I would really appreciate if you can help me to fix these issues.
Thanks!

Answer 1

Your approach is generally wrong. You should prepare the file outside the container an then let the Docker itself to change it.

There are several ways to achieve this.

1. You can mount your file during startup:

   docker run -v /your/host/path/to/config.cfg:/etc/nginx/config.cfg ...

2. You can copy the file into the container during building the container (inside Dockerfile):

   FROM base-name COPY config.cfg /etc/nginx/

3. You can apply a patch to the config script (once again, a Dockerfile):

   FROM base-name ADD config.cfg.diff /etc/nginx/ RUN ["patch", "-N", "/etc/nginx/config.cfg", "--input=/etc/nginx/config.cfg.diff"]

For each method, there are lots of examples on StackOverflow.

Answer 2

You should read Docker's official tutorial on building and running custom images . I rarely do work in interactive shells in containers; instead, I set up a Dockerfile that builds an image that can run autonomously, and iterate on building and running it like any other piece of software. In this context su and sudo aren't very useful because the container rarely has a controlling terminal or a human operator to enter a password (and for that matter usually doesn't have a valid password for any user).

Instead, if I want to do work in a container as a non-root user, my Dockerfile needs to set up that user:

FROM ubuntu:18.04
WORKDIR /app
COPY ...
RUN useradd -r -d /app myapp
USER myapp
CMD ["/app/myapp"]

The one exception I've seen is if you have a container that, for whatever reason, needs to do initial work as root and then drop privileges to do its real work. (In particular the official Consul image does this.) That uses a dedicated lighter-weight tool like gosu or su-exec . A typical Dockerfile setup there might look like

# Dockerfile
FROM alpine:3.8
RUN addgroup myapp \
 && adduser -S -G myapp myapp
RUN apk add su-exec
WORKDIR /app
COPY . ./
ENTRYPOINT ["/app/docker-entrypoint.sh"]
CMD ["/app/myapp"]

#!/bin/sh
# docker-entrypoint.sh

# Initially launches as root
/app/do-initial-setup

# Switches to non-root user to run real app
su-exec myapp:myapp "$@"

Both docker run and docker exec take a -u argument to indicate the user to run as. If you launched a container as the wrong user, delete it and recreate it with the correct docker run -u option. (This isn't one I find myself wanting to change often, though.)

Answer 3

I started the container on my local and turns out you don't need sudo you can do it with su that comes by default on the debian image

docker run -dit centos bash
docker exec -it 9e82ff936d28 sh
su

also you could try executing the following which defaults you to root:

docker run -dit centos bash
docker exec -it 9e82ff936d28 bash

never less you could create the Nginx config outside the container and just have it copy using docker container copy {file_path} {container_id}:{path_inside_container}

Answer 4

Thanks everyone.

I think it's better to setup a virtualbox with Centos and play with nginx. Then when I'm ready and have a correct nginx.config, I can use Dockerfile to copy my config file.

VM is so slow and I was hoping that I can work in interactive shells in containers to learn and play instead of using a VM. do you have any better idea than virtualbox?

I tried

  docker run -dit nginx-sample-app bash  
  docker exec -u root -it 9e8f5e7d5013 bash  

And it didn't do anything , it stays in the below status: here

the same commands worked on debian image but not centos.