如何在docker文件或脚本中以非root用户身份修改/etc/resolv.conf

Question

Based on best practice and recommendation we should always run docker container as non root user for security reason. While doing so I am facing one issue where I have to override /etc/resolv.conf file with domain name. I am appending domain name in resolv.conf file via script eg env.sh (I am calling this script as eg The Dockefile has following command

from dabian:latest
... 
...
ENTRYPOINT[env.sh]

The script env.sh simply append domain name based on environment eg dev/qa/prod etc.

If I run docker container as root user there is no problem as the resolv.conf will get updated with appropriate domain name map (based on environment profile) but if I add non root user (in docker file ) and use the user and call ENTRYPOINT[evn.sh] , the resolv.conf file will not get updated.

Is it because the files like hosts or resolv.conf inside docker get always override by host configuration and only root are allowed to modify these file (which apparently looks like).

My question is , Is it possible to do same as non root user or is there a way to grant non root user just enough permission to modify resolv.conf and yet run as non root user (may be scoping or limiting user privilege to just modify resolv.conf ) ? Has anyone come across this scenario ?

Answer 1

you have two options:

run your container as root and run your application using another user in your ENTRYPOINT using:

runuser -l YOUR_USER -c "COMMAND_TO_RUN"

or setting up passwordless sudo and assign the user to it , something like this in Dockerfile :

RUN adduser YOUR_USER sudo
RUN sed -i.bkp -e \
      's/%sudo\s\+ALL=(ALL\(:ALL\)\?)\s\+ALL/%sudo ALL=NOPASSWD:ALL/g' \
      /etc/sudoers