How To Run Cron As Non Root In Alpine

Question

I am trying to run a container with the following scripts:

Dockerfile

FROM alpine:latest

USER root

RUN apk update \
    && apk upgrade \
    && apk --no-cache add busybox-suid su-exec
RUN chmod u+s /sbin/su-exec

RUN groupadd -r -g 2001 myuser \
    && useradd -r -u 1001 -g myuser myuser

RUN mkdir /home/myuser \
    && chown myuser /home/myuser

COPY --chown=myuser:myuser entrypoint.sh /home/myuser/entrypoint.sh
COPY --chown=myuser:myuser cronjob /home/myuser/cronjob

USER myuser

RUN crontab /home/myuser/cronjob
WORKDIR /home/myuser
ENTRYPOINT["./entrypoint.sh"]

entrypoint.sh

#!/bin/sh

# Start cron daemon.
su-exec root crond -f -l 8

# Start application.

I have read that elevating privileges is not good practice. Therefore, I wish to eliminate usage of su-exec + chmod u+s /sbin/su-exec in my script. I tried su and sudo as well but they were asking for root password so I switched to su-exec instead. I needed to elevate privilege because crond does not run properly without starting it as root. This container will be run in Kubernetes.

Is there a better way to do this?

score 3 · Accepted Answer · answered Jul 27 '20 at 07:47

3

crond is now running as myuser after following the answer below.

https://github.com/gliderlabs/docker-alpine/issues/381#issuecomment-621946699

Dockerfile

FROM alpine:latest

USER root

RUN apk update \
    && apk upgrade \
    && apk --no-cache add dcron libcap

RUN groupadd -r -g 2001 myuser \
    && useradd -r -u 1001 -g myuser myuser

RUN mkdir /home/myuser \
    && chown myuser /home/myuser

RUN chown myuser:myuser /usr/sbin/crond \
    && setcap cap_setgid=ep /usr/sbin/crond

COPY --chown=myuser:myuser cronjob /home/myuser/cronjob
RUN crontab /home/myuser/cronjob

COPY --chown=myuser:myuser entrypoint.sh /home/myuser/entrypoint.sh

USER myuser

WORKDIR /home/myuser
ENTRYPOINT["./entrypoint.sh"]

entrypoint.sh

#!/bin/sh

# Start cron daemon.
crond -b -l 8

# Start application.

answered Jul 27 '20 at 07:47

Ryklon Zen

173
1
3
19

5

When I try this kind of solution I get `setpgid: Operation not permitted`. – And Finally Apr 14 '21 at 19:16
As I understood there is an issue when using non root account as answered here https://stackoverflow.com/a/45280550/5689995 . There is a solution offered to start using alternative instead of Crontab for containers. – laimison Jul 04 '21 at 22:03
As a workaround for the `Operation not permitted` issue, I run `crond` as non-1 PID by using an entrypoint script [as described here](https://github.com/dubiousjim/dcron/issues/13#issuecomment-340382335). It works. – Lenar Hoyt Mar 15 '22 at 12:19

score 1 · Answer 2 · answered Jul 24 '20 at 09:59

Don't know what you are trying to achive but I would do it on OS-level.

You can create a cronjob to execute something in your container is this would help. Try to use something like this:

/usr/bin/docker exec <container_name> <command>

When you would like to have some logging you could do:

/usr/bin/docker exec <container_name> <command> > <path_to_log>

How To Run Cron As Non Root In Alpine

2 Answers2