Reputation: 35702
Is it redundant in a Dockfile to run USER root since you're already root?
Looking at this Dockerfile it starts with:
FROM sequenceiq/pam:centos-6.5
MAINTAINER SequenceIQ
USER root
Now that seems redundant, since by default you'd already be root. But for argument's sake - let's look at the parent Dockerfile....that doesn't change the user.
Now let's look at the grandparent Dockerfile. (It doesn't seem to be available).
My question is: Is it redundant in a Dockfile to run USER root since you're already root?
Upvotes: 65
Views: 138131
Answers (3)
Reputation: 263906
Yes, it's redundant, but there's almost no downside to leaving this redundancy in. This may have been done to develop against other images, or to support uses that may swap out the base image. It could be done to prevent future issues if the upstream image changes it's behavior. Or they may just want to be explicit so it's clear this container needs to run commands as root.
This assumes that you have verified that the base image is running as root (as the OP has done). For others with this question, if you run:
docker image inspect --format '{{.Config.User}}' $base_image_name
and see anything other than an empty string or root, then you need USER root to change the user for tasks that require that access (e.g. installing packages, changing filesystem permissions, and writing files in folders not owned by your user). After performing those steps (in separate RUN lines) be sure to change back to the non-privileged user in your released image with another USER youruser line.
Upvotes: 51
Reputation: 312
if you are already root, then it's redundant to use it.
As @BMitch also points out, you can use USER root to ensure you are not going to break things if the parent image changes the user in upcoming versions, among other things.
It actually depends on the image. In some images, such as grafana/grafana, the default user is not root and there is no sudo. Thus you must use USER root for any privileged task (e.g., updating and installing apps via apt).
Upvotes: 10
Reputation: 631
If an image was generated from a source that changed root to a user, you may not have access to all resources inside it. However, if you load the image:
FROM xxxxxx/xxxxxx:latest
USER root
That will give you root access to the images resources. I just used that after being refused access to change /etc/apt/sources.list in an existing image that was not mine. It worked fine and let me change the sources.list
Upvotes: 53
Related Questions
- Docker rootless
- Should I run things inside a docker container as non root for safety?
- Is it ok to run the docker container as a non-root user but with sudo privileges?
- Docker File Non Root User Theory Question
- Why not using root user as default
- Starting container as a non-root user vs starting as root and then downgrade to non-root
- Dockerfile: is it necessary to specify which user before perform a RUN?
- Non-root user in Docker
- Does Dockerfile always have to be placed in the build context root?
- Security of Docker as it runs as root user