I’m running haugene/transmission-openvpn with PUID and PGID. Want to stop container from inside with sh script. Think a kill SIGTERM from inside container is needed for this, which requires root permission.
New with docker and very little linux knowledge, so forgive me for asking something stupid…
In my understanding it’s always better to run docker image not as root using UID and GID. When ran as root, I would say host system’s mapped volumes are vulnerable (security-wise? )?
Also it’s a struggle when ran as root for user to get access to folders that are created in container.
Is there any way to get temporary root access? Or maybe run image as root and “intermediately” change to user, and use su for sending the SIGTERM?
I think (in theory at least) that you could be able to do a kill -9 1 from inside the container to make it shut itself down. You would like to do a kill -s SIGKILL 1 but since pid 1 is protected, you need to nine it.
When you do a docker stop <instance_id> it does send a “nice” kill signal to the container.
Tried kill -s SIGTERM 1 and kill -s SIGKILL 1 yesterday, and came to conclusion that only works when container is started as root.
Just tried kill-9 1, doesn’t seem to work with PUID and PGID not set to root. Also didn’t stop container when running as root?
And how about starting container as root and change to User somehow? U think that might be possible? Or too risky?
Read the article, thnx
If I understand correctly, this is about reloading configuration instead of restarting container (downtime…).
Did try kill -s SIGHUP 1
Container log shows response to that: SIGHUP[hard,] received, process restarting
But it restarts/reloads, doesn’t quit/stop (also needs root access).
When exec in container using -u (UID) (so no root permission), only command that does something is kill -s SIGKILL -1. Don’t know what it exactly is doing, but it breaks the transmission web-interface (OpenVPN is still running).
Source (last few comments):
Can try to make ENTRYPOINT as suggested in link above (will be tomorrow I guess).
Also I was surprised by outcome when checked ps -aux :
Seems like it runs as root (container started with UID and GID). dumb-init and openvpn do, transmission-daemon doesn’t… Is this normal behavior???
Tried with and without the –privileged flag (same result), which seems needed to be set as otherwise container exits with error in log: “permission denied” somewhere when setting up OpenVPN.