Dockerfile: create ENV variable that a USER can see?

Question

Is there a way to set an ENV variable for a custom USER in a docker file?

I am trying the following:

FROM some_repo/my_base_image
ENV FOO_VAR bar_value
USER webapp
# ... continued (not important)

But my "webapp" user can not see the "FOO_VAR" variable. HOWEVER, my root user CAN.

Any help would be appreciated.

Answer 1

here's what worked for me after browsing around the web looking for the answer:

in the dockerfile

...
RUN apt install sudo -y
ENV MY_VAR="some value"
...

now inside the container (or in my case the script i wrote to run inide it):

sudo -E -u my_user env # <- switch here to whatever command you want to execute

-E stands for preserve-env which means the env vars of the root user will be passed to my_user

heres my reference: https://dev.to/pfreitag/passing-environment-variables-with-sudo-1ej6

Answer 2

If you switch user context using su within the dockerfile's ENTRYPOINT, CMD or docker exec ... using the form below you enter a new shell process for the given username that does not persist your original environment variables provided by the ENV targets through dockerfile, docker-compose yaml, or docker run -e ...

> su - username -c "run a process"

To avoid this behavior simply remove the dash - from the call like so:

> su username -c "run a process"

Your assigned docker environment variables will now persist.

Answer 3

For future reference, this also holds true within the Dockerfile (and not just for any container's user during run-time):

$ cat Dockerfile 
FROM library/debian:9.5

ENV FOO="BAR"
RUN groupadd -r testuser && useradd -r -g testuser testuser 
RUN mkdir -p /home/testuser && chown -R testuser /home/testuser
RUN echo "${FOO}" && echo "meh.${FOO}.blah"

USER testuser
RUN echo "${FOO}" && echo "meh.${FOO}.blah" | tee -a ~/test.xt

And docker build:

$ docker build -t test .
Sending build context to Docker daemon  2.048kB
Step 1/7 : FROM library/debian:9.5
 ---> be2868bebaba
Step 2/7 : ENV FOO="BAR"
 ---> Running in f2cd5ecca056
Removing intermediate container f2cd5ecca056
 ---> f6f7b3f26cad
Step 3/7 : RUN groupadd -r testuser && useradd -r -g testuser testuser
 ---> Running in ab9c0726cc1e
Removing intermediate container ab9c0726cc1e
 ---> dc9f2a35fb09
Step 4/7 : RUN mkdir -p /home/testuser && chown -R testuser /home/testuser
 ---> Running in 108b1c03323d
Removing intermediate container 108b1c03323d
 ---> 4a63e70fc886
Step 5/7 : RUN echo "${FOO}" && echo "meh.${FOO}.blah"
 ---> Running in 9dcdd6b73e7d
BAR
meh.BAR.blah
Removing intermediate container 9dcdd6b73e7d
 ---> c33504cadc37
Step 6/7 : USER testuser
 ---> Running in 596b0588dde6
Removing intermediate container 596b0588dde6
 ---> 075e2c861021
Step 7/7 : RUN echo "${FOO}" && echo "meh.${FOO}.blah" | tee -a ~/test.xt
 ---> Running in fb2648d8c120
BAR
meh.BAR.blah
Removing intermediate container fb2648d8c120
 ---> c7c1c69e200f
Successfully built c7c1c69e200f
Successfully tagged test:latest

(Yet for some reason it doesn't work for me in my own project, when I use the variables as a part of a curl URL target...)

Answer 4

Any user can see the environment variables:

$ cat Dockerfile
FROM debian

ENV foo bar
RUN groupadd -r am && useradd -r -g am am
USER am
$ docker build -t test .
...
$ docker run test bash -c 'echo $foo'
bar

So that's not what the problem is. It may be that your process forked a new environment, but I can't be sure as you haven't shared how you're checking the value.