Pardon my ignorance, can we change root password for an custom docker image

Thanks
sunder

You can, via any of the normal means, but it’s not really useful because usually the only way to get a shell in a running container of that image involves having root access to the host. (Docker containers don’t usually run things like ssh daemons, and the ability to run a docker command is equivalent to root access on the host.)

Thanks David,

We intend to ship an image where user should be able to start container and work. To execute any additional commands on container the user should be challenged with root password.

Can you please elaborate anyone way to do achieve this goal

Thanks
sunder

Your users need root access to their systems; and if they have some non-root method to access Docker, like the docker group in Ubuntu, it’s one step away from root.

docker run --rm -v /:/host ubuntu:16.04 cat /host/etc/shadow
docker run --rm -v /:/host ubuntu:16.04 sh -c "echo $USER ALL=(ALL) NOPASSWD: ALL >>/host/etc/sudoers'

Also, “debug” mechanisms like docker exec jump directly into a root shell in the container and ignore any password setup you might happen to have in the container.

As I said above, nothing stops you from RUN echo foo | passwd root in a Dockerfile (visible in docker history), or COPY shadow /etc (still vulnerable to offline attacks) to “set a root password in the container”, but it’s all but impossible to make that an effective security measure.