Using current user when running container in docker-compose

Question

Is there a way to execute or login as current user to a bash of specific container . I tried running docker-compose exec -u $USER phoenix bash but it says unable to find user raz: no matching entries in passwd file

I tried another way by adding a useradd command in a dockerfile.

FROM elixir:latest

ARG USER_ID
ARG GROUP_ID

RUN addgroup --gid $GROUP_ID raz
RUN adduser --disabled-password --gecos '' --uid $USER_ID --gid $GROUP_ID raz
USER raz

RUN apt-get update && \
    apt-get install -y postgresql-client && \
    apt-get install -y inotify-tools && \
    apt-get install -y nodejs && \
    curl -L https://npmjs.org/install.sh | sh && \
    mix local.hex --force && \
    mix archive.install hex phx_new 1.5.3 --force && \
    mix local.rebar --force

COPY . /app
WORKDIR /app

COPY ./entrypoint.sh /entrypoint.sh
RUN ["chmod", "+x", "/entrypoint.sh"]
ENTRYPOINT ["/entrypoint.sh"]

but when I run docker-compose build I get a permission denied error when running the apt-get commands. I also look for gosu as a step down root user but it seems complicated.

Is it possible for added user in Dockerfile command to have same permission as my current user? I'm running WSL2 btw.

Answer 1

Building on top of the answer by Joepreludian, focusing on docker-compose:

You can use the user: and volumes: options in the compose file. For example:

  my-service:
    image: ubuntu:latest
    user: ${MY_UID}:${MY_GID}
    volumes:
      - /etc/passwd:/etc/passwd:ro
      - /etc/group:/etc/group:ro

and define these variables where you are starting your compose:

MY_UID="$(id -u)" MY_GID="$(id -g)" docker-compose up

Answer 2

This question is pretty interesting. Let me begin with a short explanation;

Understanding the problem

In fact the user that exists inside container will be valid only inside the container itself. What you're trying to do is to use a user that exists outside a container, aka your docker host, inside a container. Unfortunately this movement can't be done in a normal way;

For instance, let me try to change to my user in order to get this container:

$ docker run -it --rm --user jon ubuntu whoami
docker: Error response from daemon: unable to find user jon: no matching entries in passwd file.

I tried to run a classic ubuntu container inside my docker host; Despite the user exists on my local machine, The Docker image says that didn't find the user;

$ id -a
uid=1000(jon) gid=1001(jon) groups=1001(jon),3(sys),90(network),98(power),108(vboxusers),962(docker),991(lp),998(wheel),1000(autologin)

The command above was executed on my compute, proving that "jon" username exists;

Making my username available inside a container: a docker trick

I will suppose that you didn't created an user inside your container. For instance I'm going to use the ubuntu docker image;

The trick is to mount both files responsible for handling your user and group definition inside the container, causing the container being able to see you inside of it.

$ docker run -it --rm --volume /etc/passwd:/etc/passwd:ro --volume /etc/group:/etc/group:ro --user $(id -u) ubuntu whoami
jon

For a more complete example:

$ docker run -it --rm --volume /etc/passwd:/etc/passwd:ro --volume /etc/group:/etc/group:ro --user $(id -u):$(id -g) ubuntu "id"
uid=1000(jon) gid=1001(jon) groups=1001(jon)

• Notice that I used two volumes pointing to two files? /etc/password and /etc/group? Both I mounted read only (appending ":ro") just for safety.

• Also notice that I used the id -u , which brings me the user id (1000 on my case), forcing the user id for being the same of mine defined on my /etc/password file.

Caveat

If you try to set the username to jon rather than the UID you going to run into a issue;

$ docker run -it --rm --volume /etc/passwd:/etc/passwd:ro --volume /etc/group:/etc/group:ro --user jon ubuntu whoami
docker: Error response from daemon: unable to find user jon: no matching entries in passwd file.

This happens because the docker engine would try to change the username before mouting the volumes and this should exists before running the container. If you provide a numeric representation of the user, this one doesn't needs to exist within the container, causing the trick to work;

https://docs.docker.com/engine/reference/run/#user

I hope being helpful. Be safe!