Docker Community Forums

Share and learn in the Docker community.

Is it possible to stop container from inside without root privileges?

I’m running haugene/transmission-openvpn with PUID and PGID. Want to stop container from inside with sh script. Think a kill SIGTERM from inside container is needed for this, which requires root permission.
New with docker and very little linux knowledge, so forgive me for asking something stupid…

In my understanding it’s always better to run docker image not as root using UID and GID. When ran as root, I would say host system’s mapped volumes are vulnerable (security-wise? )?
Also it’s a struggle when ran as root for user to get access to folders that are created in container.

Is there any way to get temporary root access? Or maybe run image as root and “intermediately” change to user, and use su for sending the SIGTERM?

Thanx!

I think (in theory at least) that you could be able to do a kill -9 1 from inside the container to make it shut itself down. You would like to do a kill -s SIGKILL 1 but since pid 1 is protected, you need to nine it.

When you do a docker stop <instance_id> it does send a “nice” kill signal to the container.

ovelindstrom, thnx for the quick reply!

Tried kill -s SIGTERM 1 and kill -s SIGKILL 1 yesterday, and came to conclusion that only works when container is started as root.
Just tried kill-9 1, doesn’t seem to work with PUID and PGID not set to root. Also didn’t stop container when running as root?

And how about starting container as root and change to User somehow? U think that might be possible? Or too risky?

I would not start the container as root. As you say, it implies some security issues.

I found this article by Dominique Barton https://blog.confirm.ch/sending-signals-docker-container/ that address this issue.

Read the article, thnx
If I understand correctly, this is about reloading configuration instead of restarting container (downtime…).

Did try kill -s SIGHUP 1
Container log shows response to that: SIGHUP[hard,] received, process restarting
But it restarts/reloads, doesn’t quit/stop (also needs root access).

When exec in container using -u (UID) (so no root permission), only command that does something is kill -s SIGKILL -1. Don’t know what it exactly is doing, but it breaks the transmission web-interface (OpenVPN is still running).

Source (last few comments):

Can try to make ENTRYPOINT as suggested in link above (will be tomorrow I guess).

Also I was surprised by outcome when checked ps -aux :

root@OMV-2-ODROID:~# docker exec -ti -u 1000 TransmissionOpenVPN bash
abc@136b242136e9:/$ ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1584 320 ? Ss 14:45 0:00 /usr/bin/dumb-init /etc/openvpn/start.sh
root 11 0.0 0.2 8156 5352 ? Ss 14:45 0:00 openvpn --script-security 2 --up-delay…
abc 98 0.0 0.1 43028 2944 ? Ssl 14:45 0:00 /usr/bin/transmission-daemon -g…
abc 116 0.2 0.1 5220 3076 pts/0 Ss 14:51 0:00 bash
abc 121 0.0 0.1 7724 2840 pts/0 R+ 14:52 0:00 ps -aux

Seems like it runs as root (container started with UID and GID). dumb-init and openvpn do, transmission-daemon doesn’t… Is this normal behavior???
Tried with and without the –privileged flag (same result), which seems needed to be set as otherwise container exits with error in log: “permission denied” somewhere when setting up OpenVPN.

Which doesn’t make sense to me, doesn’t mention anything about that flag being needed:
https://hub.docker.com/r/haugene/transmission-openvpn/