I’d like to allow my users to run Docker containers as themselves on some multi-user systems.
The usual answer to this question is to use
docker container run --user foo. However, the
--user flag by itself doesn’t work for stock images because the user doesn’t exist in the image:
$ docker run --user stefan httpd docker: Error response from daemon: linux spec user: unable to find user stefan: no matching entries in passwd file. ERRO error waiting for container: context canceled
The solution we’ve come up with so far is to create a custom image which extends a base image (e.g.
FROM:httpd), add a user, and grant that user permissions to do things inside a container.
But this isn’t a sustainable solution, as we would need to do this for every user that wants to run the image, and then maintain (and update) a bunch of custom images for the foreseeable future. It’s also difficult to investigate each image to discover exactly what needs to be changed for a non-root user to work.
Is there a way to add a user to a container upon instantiation, so that the
--user flag will work?
I could see doing this using an Entrypoint script, but it seems that the
--user flag will be applied before the Entrypoint script is run.