Docker Community Forums

Share and learn in the Docker community.

Declaring your own user and not running as a root user

I am trying to declare my own user as I don’t want to run as a root.

I have tried various options, but still unable to understand where the problem is!

When I use:

RUN addgroup -g ${gid} -S ${group} && \
    adduser -u ${uid} -S ${group} -G ${group}

I get this error message:

```
---> Running in 66cf0e3eb584Option g is ambiguous (gecos, gid, group)Option s is ambiguous (shell, system)
```

I then tried the following option:

RUN addgroup ${gid} GROUP && \
    adduser -u ${uid} --group ${gid} GROUP

but got this error:

```
addgroup: The user `1000' does not exist.
```

Afterwards, I tried this:

RUN groupadd -g ${gid} ${group} && useradd -u ${uid} -G ${group} -s /bin/sh -D ${user}

And got this error:

Step 8/29 : RUN groupadd -g ${gid} ${group} && useradd -u ${uid} -G ${group} -s /bin/sh -D ${user}
 ---> Running in 629f0a6219ac
Usage: useradd [options] LOGIN
       useradd -D
       useradd -D [options]

Options:
  -b, --base-dir BASE_DIR       base directory for the home directory of the
                                new account
  -c, --comment COMMENT         GECOS field of the new account
  -d, --home-dir HOME_DIR       home directory of the new account
  -D, --defaults                print or change default useradd configuration
  -e, --expiredate EXPIRE_DATE  expiration date of the new account
  -f, --inactive INACTIVE       password inactivity period of the new account
  -g, --gid GROUP               name or ID of the primary group of the new
                                account
  -G, --groups GROUPS           list of supplementary groups of the new
                                account
  -h, --help                    display this help message and exit
  -k, --skel SKEL_DIR           use this alternative skeleton directory
  -K, --key KEY=VALUE           override /etc/login.defs defaults
  -l, --no-log-init             do not add the user to the lastlog and
                                faillog databases
  -m, --create-home             create the user's home directory
  -M, --no-create-home          do not create the user's home directory
  -N, --no-user-group           do not create a group with the same name as
                                the user
  -o, --non-unique              allow to create users with duplicate
                                (non-unique) UID
  -p, --password PASSWORD       encrypted password of the new account
  -r, --system                  create a system account
  -R, --root CHROOT_DIR         directory to chroot into
  -s, --shell SHELL             login shell of the new account
  -u, --uid UID                 user ID of the new account
  -U, --user-group              create a group with the same name as the user
  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping

The command '/bin/sh -c groupadd -g ${gid} ${group} && useradd -u ${uid} -G ${group} -s /bin/sh -D ${user}' returned a non-zero code: 2
ERROR: Job failed: exit code 1

My complete dockerfile is this:


FROM microsoft/dotnet:2.1-aspnetcore-runtime AS runtime
WORKDIR /app
EXPOSE 80

ARG user=appuser
ARG group=appuser
ARG uid=1000
ARG gid=1000

# Run process with user ${user}, uid = 1000
# Remarks: If you mount a volume from the host or a data container, ensure to use the same uid

#RUN addgroup -g ${gid} ${group} \
 # && adduser -u ${uid} -G ${group} -s /bin/sh -D ${user}

#RUN groupadd -r ${gid} && -G ${group} -r -g ${gid} ${group} 

#RUN groupadd -r appuser && useradd -r -g appuser appuser 

#RUN groupadd -r -g ${gid} ${group} && useradd -D ${user} -r -u ${uid} -G ${group}

RUN groupadd -g ${gid} ${group} && useradd -u ${uid} -G ${group} -s /bin/sh -D ${user}

#RUN addgroup ${gid} GROUP && \
 #   adduser -u ${uid} --group ${gid} GROUP


ARG ASPNETCORE_ENVIRONMENT
ENV ASPNETCORE_ENVIRONMENT=${ASPNETCORE_ENVIRONMENT}

FROM microsoft/dotnet:2.1-sdk AS build
WORKDIR /src

COPY abc.RegistrationService.DataModel/abc.RegistrationService.DataModel.csproj abc.RegistrationService.DataModel/
COPY abc.RegistrationService.Foundation/abc.RegistrationService.Foundation.csproj abc.RegistrationService.Foundation/
COPY abc.RegistrationService.Logging/abc.RegistrationService.Logging.csproj abc.RegistrationService.Logging/
COPY abc.RegistrationService.Repositories/abc.RegistrationService.Repositories.csproj abc.RegistrationService.Repositories/
COPY abc.RegistrationService.Services/abc.RegistrationService.Services.csproj abc.RegistrationService.Services/
COPY abc.RegistrationService.WebApi/abc.RegistrationService.WebApi.csproj abc.RegistrationService.WebApi/
RUN dotnet restore abc.RegistrationService.WebApi/abc.RegistrationService.WebApi.csproj

COPY . .
WORKDIR /src/abc.RegistrationService.WebApi
RUN dotnet build -c Release -o /app

FROM build AS publish
RUN dotnet publish -c Release -o /app

FROM runtime AS final
WORKDIR /app
COPY --from=publish /app .

#USER root:root

# Now switch user
USER ${user}


ENTRYPOINT ["dotnet", "abc.RegistrationService.WebApi.dll"]

Any help as to how i can correctly setup a user and add it to the group?
thanks,

The best way to troubleshoot issues like this is to run the commands you intend to run in your build environment in an interactive session with the same base container. When you find the right options, then you can build your Dockerfile.

%> docker run --rm -it microsoft/dotnet:2.1-aspnetcore-runtime /bin/sh
# run your build commands here to troubleshoot, then exit when done

Your issue has to do with how you invoke the commands you’re calling. Stated clearly in the output you included:

  -D, --defaults                print or change default useradd configuration

Drop that option, and you’ll have one more issue. The -G option is to:

  -G, --groups GROUPS           list of supplementary groups of the new
                                account

You need to set the primary group with this option:

   -g, --gid GROUP              name or ID of the primary group of the new
                                account

So your final command will be:

RUN groupadd -g ${gid} ${group} && useradd -u ${uid} -g ${group} -s /bin/sh ${user}

Always read the output.