Running as a host user within a Docker container

Robin Winslow picture Robin Winslow · Aug 23, 2017 · Viewed 12.2k times · Source

In my team we use Docker containers to locally run our website applications while we do development on them.

Assuming I'm working on a Flask app at app.py with dependencies in requirements.txt, a working flow would look roughly like this:

# I am "robin" and I am in the docker group
$ whoami
robin
$ groups
robin docker

# Install dependencies into a docker volume
$ docker run -ti -v `pwd`:`pwd` -w `pwd` -v pydeps:/usr/local python:3-slim pip install -r requirements.txt
Collecting Flask==0.12.2 (from -r requirements.txt (line 1))
# ... etc.

# Run the app using the same docker volume
$ docker run -ti -v `pwd`:`pwd` -w `pwd` -v pydeps:/usr/local -e FLASK_APP=app.py -e FLASK_DEBUG=true -p 5000:5000 python:3-slim flask run -h 0.0.0.0
 * Serving Flask app "app"
 * Forcing debug mode on
 * Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 251-131-649

Now we have a local server running our application, and we can make changes to the local files and the server will refresh as needed.

In the above example, the application end up running as the root user. This isn't a problem unless the application writes files back into the working directory. If it does then we could end up with files (e.g. something like cache.sqlite or debug.log) in our working directory owned by root. This has caused a number of problems for users in our team.

For our other applications we've solved this by running the application with the host user's UID and GID - e.g. for a Django app:

$ docker run -ti -u `id -u`:`id -g` -v `pwd`:`pwd` -w `pwd` -v pydeps:/usr/local -p 8000:8000 python:3-slim ./manage.py runserver

In this case, the application will be running as a non-existent user with ID 1000 inside the container, but any files written to the host directory end up correctly owned by the robin user. This works fine in Django.

However, Flask refuses to run as a non-existent user (in debug mode):

$ docker run -ti -u `id -u`:`id -g` -v `pwd`:`pwd` -w `pwd` -v pydeps:/usr/local -e FLASK_APP=app.py -e FLASK_DEBUG=true -p 5000:5000 python:3-slim flask run -h 0.0.0.0
 * Serving Flask app "app"
 * Forcing debug mode on
 * Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
Traceback (most recent call last):
...
  File "/usr/local/lib/python3.6/getpass.py", line 169, in getuser
    return pwd.getpwuid(os.getuid())[0]
KeyError: 'getpwuid(): uid not found: 1000'

Does anyone know if there's any way that I could either:

  • Make Flask not worry about the unassigned user-id, or
  • Somehow dynamically assign the user ID to a username at runtime, or
  • Otherwise allow the docker application to create files on the host as the host user?

The only solution I can think of right now (super hacky) is to change the permissions of /etc/passwd in the docker image to be globally writeable, and then add a new line to that file at runtime to assign the new UID/GID pair to a username.

Answer

Robert picture Robert · Aug 30, 2017

You can share the host's passwd file:

docker run -ti -v /etc/passwd:/etc/passwd -u `id -u`:`id -g` -v `pwd`:`pwd` -w `pwd` -v pydeps:/usr/local -p 8000:8000 python:3-slim ./manage.py runserver

Or, add the user to the image with useradd, using /etc as volume, in the same way you use /usr/local:

docker run -v etcvol:/etc python..... useradd -u `id -u` $USER

(Both id -u and $USER are resolved in the host shell, before docker receive the command)