I have an image that requires some initialisation on container startup:
- the initialisation requires root privileges (I’m writing to /etc/hosts)
- the initialisation can only be done at run time - I only know what to write when the container starts up
I want to avoid the container running as root.
I figured that when building the image I should be able to:
- copy a script to the do the initialisation into the container
- set its ownership to root
- set its setuid bit
As last act in the Docker file - set USER to a non-privileged user.
Then the container should start executing as a non-root user, but be able to acquire root privileges when the initialisation script runs and then lose them again as it ‘does the business’.
This approach doesn’t work. The script is installed, is owned by root and has the setuid bit set. But when it.s run it runs as the non-privileged user (as reported by ps)
My question is - is this expected? I’m guessing from what I’ve read that the in these circumstances the container will run in a namespace where processes can’t acquire root privileges, but I’m new to this stuff so I’m not sure.
If so, is there some other pattern for doing root level init in a container when the container starts with a non-privileged user?