Create containers as another user than 'root' (Docker's '--user' option)


#1

Hello everyone,

thank you for a great job with the ShinyProxy, I really like it!
I had some ups and downs setting up my server and apps, usually I found a solution somewhere on the Internet. But now, I’m quite lost: My Shiny app is writing some output on mounted disk. All files unfortunately belong to root:root (I know, this is expected Docker behaviour), I would like them to belong to my_user:my_group. This could be done, if I would start app containers with ‘–user my_user:my_group’ option. I tried this (see below) setting, but it was not working.

- name: my_app
    display-name: My great app
    docker-user: my_user:my_group
    docker-cmd: ["R", "-e shiny::runApp('/root/my_app')"]
    docker-image: my_apps/my_app
    docker-volumes: [ "/home/my_user/tables:/root/my_app/tables" ]

What do you think? Can anyone help me with this?


#2

Hi @incivile,

Indeed, shinyproxy does not support the -user argument. Have you tried using the USER instruction in the Dockerfile instead?


#3

Hi @fmichielssen

I’m actually facing the same situation here. I would like to use another user rather than root just for safety reason. Is there any specific reason that the --user option is not supported in the application.yml? I feel it will be quite useful.

Thanks


#4

Hi @incivile

I don’t know if you still need a solution to your question.

So in docker containers, the username and group name are not important, but the uid and gid are.
In your case, you want all the files written by your app belong to a user on the host machine. To do this, you will need the user’s uid. Say you’re running Shinyproxy on a linux host, then you can get a user’s uid by typing id username on your host machine. The output will be like uid=10xxx(foo) gid=1xxx(bar) groups=xxxxxxx. What you want it the value of uid. Once you get that, in your app code, after all the work is done, run something like system(paste("chown -R", uid, resultDir)). This will change the owner of the directory and all the files in it to the user corresponding to the specified uid. If it’s just one file, just turn the -R switch off.

But I don’t think this is a very good solution since using ‘root’ can be very dangerous. I’m also hoping that the docker container run --user option can be set directly from shinyproxy config. As @fmichielssen suggested, you can set the USER in Dockerfile to achieve this.