Docker Community Forums

Share and learn in the Docker community.

Setting a non-root user in a Dockerfile

Dear members I am facing troubles getting permissions to install pip packages within a Dockerfile

Could someone help me out with this, please?
This is my Dockerfile

FROM mcr.microsoft.com/azure-functions/python:3.0-python3.8 as intermediate

RUN apt-get update && apt-get -y install sudo && \
    apt-get install -y apt-utils && apt-get install -y git && \
    wget https://packages.microsoft.com/config/ubuntu/20.10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && \
    dpkg -i packages-microsoft-prod.deb && \
    apt-get update; \
    apt-get install -y apt-transport-https && \
    apt-get update && \
    apt-get install -y dotnet-sdk-5.0

ARG SPECKLE_ENFORCE_SSL
ENV SPECKLE_ENFORCE_SSL=false
ARG ARTIFACTS_KEYRING_NONINTERACTIVE_MODE
ENV ARTIFACTS_KEYRING_NONINTERACTIVE_MODE=true

ARG AZ_DEVOPS_TOKEN
ENV AZ_DEVOPS_TOKEN=$AZ_DEVOPS_TOKEN
ENV PYTHONUNBUFFERED 1


RUN pip install --upgrade pip --no-cache-dir && \
    pip install pyyaml numpy lxml artifacts-keyring pytest --no-cache-dir && \
    pip install -i https://$AZ_DEVOPS_TOKEN@pkgs.dev.azure.com/<org>/<project>/_packaging/<feed>/pypi/simple/ --no-cache-dir <package-name>

# Ditch the intermediate layer
# IN THIS FINAL STAGE I WANT TO ADD AN USER AND USE IT

FROM mcr.microsoft.com/azure-functions/python:3.0-python3.8

ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
  AzureFunctionsJobHost__Logging__Console__IsEnabled=true

COPY --from=intermediate /usr/local/lib/python3.8/site-packages/ /usr/local/lib/python3.8/site-packages/
ADD requirements.txt /

# SO I DID THE FOLLOWING: 
RUN addgroup --system --gid 1250 appgroup \
&& adduser --system -uid 1250 --ingroup appgroup --shell /bin/sh appuser && \
echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
RUN chown -R 1250:1250 /home/ && chmod -R 0700 /home/
USER appuser

RUN pip install -r /requirements.txt

ADD . /home/appuser/wwwroot
WORKDIR /home/appuser/wwwroot/HttpUploadTrigger/
#RUN export PATH=/home/.local/bin:$PATH

# I  CANNOT INSTALL pytest package 
RUN pip install pytest && pytest --verbose  # IF YOU REMOVE THIS LINE THE IMAGE BUILD SUCCEED BUT WE NEED TO INSTALL PIP PACKAGES

As you can see at the second stage, I added the appgroup group and the appuser user which belong to addgroup group
And it works, I am using appuser to run the container ,
it works when I remove the RUN pip install pytest && pytest --verbose line above at the Dockerfile, then I got this:

> docker exec -ti af-fem-uploader bash
appuser@fdf737a9e6ae:~/appuser/wwwroot/HttpUploadTrigger$

But when I add the RUN pip install pytest && pytest --verbose step, my output on the build is:

> CACHED [stage-1 4/9] RUN addgroup --system --gid 1250 appgroup && adduser --system -uid 1250 --ingroup appgroup --shell /bin/sh appuser && echo '%sudo ALL=  0.0s
 => CACHED [stage-1 5/9] RUN chown -R 1250:1250 /home/ && chmod -R 0700 /home/                                                                                   0.0s
 => CACHED [stage-1 6/9] RUN pip install -r /requirements.txt                                                                                                    0.0s
 => [stage-1 7/9] ADD . /home/appuser/wwwroot                                                                                                                    0.1s
 => [stage-1 8/9] WORKDIR /home/appuser/wwwroot/HttpUploadTrigger/                                                                                               0.0s
 => ERROR [stage-1 9/9] RUN pip install pytest && pytest --verbose                                                                                               1.0s
------
 > [stage-1 9/9] RUN pip install pytest && pytest --verbose:
#15 0.785 Defaulting to user installation because normal site-packages is not writeable
#15 0.815 Requirement already satisfied: pytest in /usr/local/lib/python3.8/site-packages (6.2.2)
#15 0.825 Requirement already satisfied: pluggy<1.0.0a1,>=0.12 in /usr/local/lib/python3.8/site-packages (from pytest) (0.13.1)
#15 0.827 Requirement already satisfied: packaging in /usr/local/lib/python3.8/site-packages (from pytest) (20.9)
#15 0.828 Requirement already satisfied: attrs>=19.2.0 in /usr/local/lib/python3.8/site-packages (from pytest) (20.3.0)
#15 0.829 Requirement already satisfied: py>=1.8.2 in /usr/local/lib/python3.8/site-packages (from pytest) (1.10.0)
#15 0.830 Requirement already satisfied: toml in /usr/local/lib/python3.8/site-packages (from pytest) (0.10.2)
#15 0.830 Requirement already satisfied: iniconfig in /usr/local/lib/python3.8/site-packages (from pytest) (1.1.1)
#15 0.852 Requirement already satisfied: pyparsing>=2.0.2 in /usr/local/lib/python3.8/site-packages (from packaging->pytest) (2.4.7)
#15 1.007 /bin/sh: 1: pytest: not found
------
executor failed running [/bin/sh -c pip install pytest && pytest --verbose]: exit code: 127

It looks like the pytest package cannot be installed because some permissions denied, perhaps because I am running the container using appuser
I am not sure about this