Search code examples
dockercontainerspodman

Variables in Dockerfile don't seem to be recognized?

I am building an image using Dockfile. I would like to set the Username of the container via the command line to avoid permission issues.

The Dockfile is shown below, I used the variables of USER_NAME, GROUP_ID. But when I build, the problem keeps appearing. The error is: groupadd: option '--gid' requires an argument I'm guessing that both ${GROUP_ID} and ${USER_NAME} are recognized as empty strings, but shouldn't they be assigned values ​​when the container is created? I've googled a few examples and based on the examples, I don't quite see where the problem is?

Please help me! Thanks!

FROM matthewfeickert/docker-python3-ubuntu:latest
ARG USER_NAME
ARG USER_ID
ARG GROUP_ID


RUN groupadd -r --gid ${GROUP_ID} ${USER_NAME} 
RUN useradd --no-log-init -r -g ${GROUP_ID} -u ${USER_ID} ${USER_NAME}

USER ${USER_NAME}
WORKDIR /usr/local/src
Solution

  • When you run the container, you can specify an arbitrary user ID with the docker run -u option.

    docker run -u 1003 ... my-image

    This doesn't require any special setup in the image. The user ID won't exist in the container's /etc/passwd file but there aren't really any consequences to this, beyond some cosmetic issues with prompts in interactive debugging shells.

    A typical use of this is to give your container access to a bind-mounted data directory:

    docker run \
  -e DATA_DIR=/data \
  -v "$PWD/app-data:/data" \
  -u $(id -u) \
  ... \
  my-image

    I'd generally recommend not passing a specific user ID into your image build. This would make the user ID "baked in", and if someone with a different host uid wanted to run the image, they'd have to rebuild it.

    It's often a good practice to set up some non-root user, but it doesn't matter what its user ID is so long as it's not zero. In turn, it's also typically a good practice to leave most of your application source code owned by the root user so that the application can't accidentally overwrite itself.

    FROM matthewfeickert/docker-python3-ubuntu:latest

# Create an arbitrary non-root user; we don't care about its uid
# or other properties
RUN useradd --system user

# Still as root, do the normal steps to install and build the application
WORKDIR /app
COPY requirements.txt ./
RUN pip install -r requirements.txt
COPY ./ ./

# Still as root, make sure the data directory exists
ENV DATA_DIR=/data
RUN mkdir "$DATA_DIR" && chown user "$DATA_DIR"
# VOLUME ["/data"]

# Normal metadata to run the container, only switching users now
EXPOSE 5000
USER user
CMD ["./app.py"]

    This setup will still work with the extended docker run command shown initially: the docker run -v option will cause the container's /data directory to take on its numeric uid owner from the host, which (hopefully) matches the docker run -u uid.