Docker images presumes root-user inside container
Setomidor opened this issue · comments
The docker images on docker hub presume to run as root -- specifically, the workingDir in docker is set to /root/
The main problem with this is that many kubernetes clusters prevent processes from running as root (even inside containers) for security reasons both related to container breakout and permissions for files on network drives. To complicate this further, the official kubernetes examples made by Google [1] use your images and hence do not work on many clusters.
You can recreate the problem locally using a Dockerfile with these contents:
from perl RUN groupadd -r perl && useradd --no-log-init -r -g perl perl USER perl
You will then see the error related to trying to run from /root/:
docker: Error response from daemon: OCI runtime create failed: container_linux.go:346: starting container process caused "chdir to cwd (\"/root\") set in config.json failed: permission denied": unknown.
We should not set WORKDIR /root
. In my test images I already changed it to /usr/src/app
and now I remember that I wanted to create a PR for this repo.
As a workaround you can do the same in your Dockerfile, but in my opinion this should be solved here.
Thanks @Setomidor and @Tekki for the issue and input!
We could also use WORKDIR /
for this, since that path is always accessible by any user, that should be fine, and we can leave downstream Perl image users to set whatever they need later.
Line 302 in bad811d
WORKDIR
as required (e.g. as emphasized in official docs like https://docs.docker.com/get-started/part2/ .) Indeed this is more visible when altering USER
simply because /root
is inaccessible by non-root users.Dockerfiles have been updated, I'll put a PR in docker-library/official-images shortly.