Rootless VS Code (dockerized)? - docker

Is there any method to install VS Code in a docker container as a web-based editor that can be run in a rootless mode (no sudo in container entrypoint scripts etc.)?
E.g. to run it in this scenario:
docker run -u 12345 --cap-drop=all repo/rootless-vscode

Here is an example of how it can be done with code-server.
Note that it needs root permissions to install the server, but runs it as newuser.
FROM ubuntu:22.04
RUN apt update
RUN apt install -y sudo curl
RUN curl -fsSL https://code-server.dev/install.sh | sh
RUN useradd -ms /bin/bash newuser
USER newuser
CMD [ "code-server", "--bind-addr", "0.0.0.0:8080" ]
For a more complete example, check out their code-server CI release Dockerfile.

Related

The user option doesn't seem to work when running linux containers on windows server 2019

I have this Dockerfile:
FROM ubuntu:bionic
RUN mkdir /usr/custom
ADD script.sh /usr/custom
RUN chmod =rx /usr/custom/script.sh
RUN useradd -ms /bin/bash -u 1001 someusr
USER someusr
WORKDIR /home/someusr
where script.sh (it is in the same directory as Dockerfile) contains:
#!/bin/bash
whoami
Build the image with:
docker image build --tag my_ubuntu_bionic:auto .
Then run it with:
docker run --rm --name ubl --user=1001 my_ubuntu_bionic:auto /usr/custom/script.sh
and it displays root.
How can I run the script as someusr ? The --user parameter doesn't seem to have any effect (--user=someusr doesn't work).
Ultimately I want script.sh to execute in the context of a user that has minimum permissions. The solutions that I've seen on SO assume a linux host.
Versions:
Docker version 19.03.5, build 2ee0c57608
OS Name: Microsoft Windows Server 2019 Datacenter
Version: 10.0.17763 Build 17763
Thanks
You need to add ownership to the folder where someusr script works it.
FROM ubuntu:bionic
RUN mkdir /usr/custom
ADD script.sh /usr/custom
RUN chmod +rx /usr/custom/script.sh
RUN useradd -ms /bin/bash -u 1001 someusr
RUN chown someusr -R /usr/custom
USER someusr
WORKDIR /home/someusr
I've tested this it is displaying 'someusr'.
I ended up using the runuser command:
docker run --rm --name ubl --user=1001 my_ubuntu_bionic:auto runuser -l someusr -c whoami

Can't add jenkins-job-builder in jenkins docker image

I'm new in docker. I want to create a docker container with Newman, Jenkins, Jenkins-job-builder. Please help me.
I built a docker image which bases on official Jenkins image https://hub.docker.com/r/jenkins/jenkins.
I used DockerFile. The build was successful, Jenkins app also runs successfully.
After running Jenkins I opened container as root
docker exec -u 0 -it jenkins bash and tryed to add new job with jenkins-job-builder
jenkins-jobs --conf ./jenkins_jobs.ini update ./jobs.yaml
but I got bash: jenkins-jobs: command not found
There is my Dockerfile
FROM jenkins/jenkins
USER root
RUN curl -sL https://deb.nodesource.com/setup_8.x | bash
RUN apt-get -y install nodejs
RUN npm install -g newman
RUN curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
RUN python get-pip.py
RUN pip install --user jenkins-job-builder
USER jenkins
When building your image, you get some warnings. Especially this one is interesting:
WARNING: The script jenkins-jobs is installed in '/root/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Simply remove the --user flag from RUN pip install --user jenkins-job-builder and you're fine.

Docker CMD ["cron","-f"] starting and locking the main process so that no further Docker cmd can run

So I have this Dockerfile:
From ubuntu:16.04
RUN apt-get update && apt-get -y install cron sudo watch vim
RUN useradd --create-home --shell /bin/bash mark
RUN mkdir /joel
COPY ./crontab_delete /joel
WORKDIR /joel
RUN ls -al
RUN cron -f
RUN crontab myCrontab
I then do docker exec --user mark -it CONTAINER_NAME bash and I can see that the cron is running but I then need to execute crontab myCrontab which works from being inside the container via docker exec... but if you put it as the last command
since I need to start the cron in foreground BEFORE running my crontab file
the docker build... hangs at RUN cron -f and doesn't allow the last command to run
UPDATES
The linked post no longer work as of 2018; maybe someone has an updated Dockerfile they could share ? The above Dockerfile doesn't start the cronjob for me but when I do ps -aux | grep cron I can see that the cron service is running

How to write docker file to run a docker run command inside an image

I have a shell script which creates and executes docker containers using docker run command. I want to keep this script in a docker image and want to run this shell script. I know that we cannot run docker inside a container. Is it possible to create a docker file to achieve this?
Dockerfile:
FROM ubuntu:latest
RUN apt-get update && apt-get install -y vim-gnome curl
RUN curl -L https://raw.githubusercontent.com/xyz/abx/test/testing/testing_docker.sh -o testing_docker.sh
RUN chmod +x testing_docker.sh
CMD ["./testing_docker.sh"]
testing_docker.sh:
docker run -it docker info (sample command)

How can I run two commands in CMD or ENTRYPOINT in Dockerfile

In the Dockerfile builder, ENTRYPOINT and CMD run in one time by using /bin/sh -c in back.
Are there any simple solution to run two command inside without extra script
In my case, I want to setup docker in docker in jenkins slave node, so I pass the docker.sock into container, and I want to change the permission to be executed by normal user, so it shall be done before sshd command.
The normal is like jenkins, which will be login into container via ssh command.
$ docker run -d -v /var/run/docker.sock:/docker.sock larrycai/jenkins-slave
In larrycai/jenkins-slave Dockerfile, I hope to run
CMD chmod o+rw /docker.sock && /usr/sbin/sshd -D
Currently jenkins is given sudo permission, see larrycai/jenkins-slave
I run docker in docker in jenkins slave:
First: my slave know run docker.
Second: I prepare one docker image who knows run docker in docker. See one fragment of dockerfile
RUN echo 'deb [trusted=yes] http://myrepo:3142/get.docker.io/ubuntu docker main' > /etc/apt/sources.list.d/docker.list
RUN apt-get update -qq
RUN apt-get install -qqy iptables ca-certificates lxc apt-transport-https lxc-docker
ADD src/wrapdocker /usr/local/bin/wrapdocker
RUN chmod +x /usr/local/bin/wrapdocker
VOLUME /var/lib/docker
Third: The jenkins job running in this slave contain one .sh file with a set of command to run over app code like:
export RAILS_ENV=test
# Bundle install
bundle install
# spec_no_rails
bundle exec rspec spec_no_rails -I spec_no_rails
bundle exec rake db:migrate:reset
bundle exec rake db:test:prepare
etc...
Fourth: one run shell step job with something like this
docker run --privileged -v /etc/localtime:/etc/localtime:ro -v `pwd`:/code myimagewhorundockerindocker /bin/bash -xec 'cd /code && ./myfile.sh'
--privileged necessary for run docker in docker
-v /etc/localtime:/etc/localtime:ro for synchronize host clock vs container clock
-v pwd:/code for share jenkins workspace (app-code) previously cloned from VCS with /code inside container
note: If you have service dependencies you can use fig with similar strategy.

Resources