docker-alpine icon indicating copy to clipboard operation
docker-alpine copied to clipboard

Published 20 hours ago verified publisher icon gliderlabs

Run cron as non root user

Open ankur1000 opened this issue 7 years ago • 10 comments

I want to create a cronjob as non-root user and without sudo. How do I create a cronjob for the same?

ankur1000 avatar Feb 09 '18 10:02 ankur1000

I have a non-privileged user nginx. On docker build stage I put a crontab file to /etc/crontabs/nginx.

Remember: crond should be started as root at all times.

inl-pd-autotest avatar Jul 04 '18 16:07 inl-pd-autotest

Remember: crond should be started as root at all times.

@inl-pd-autotest it's really bad news because it prevents the usage on openshift where containers start with non-root random users.

Is there any workaround to do so on openshift or we should find crond alternatives for inside container cronjobs ?

amirmasud avatar Aug 11 '18 10:08 amirmasud

I have the same problem on OpenShift, cron daemon dies with "seteuid: Operation not permitted" (probably because file systems are mounted with nosuid option) and the provider I use will not allow root containers to run. Is there any workaround to run cron daemon as non-root user?

AleksanderGrzybowski avatar Sep 18 '18 10:09 AleksanderGrzybowski

Hello team,

i am also facing same issue, please provide something or some workaround to be used until alpine community includes it next updates

sachingupta771 avatar Feb 13 '19 07:02 sachingupta771

For the record, on OpenShift I ended up with replacing our old cron-powered scripts with Kubernetes CronJobs and rewrote some parts of initialization script code to work when invoked via CronJob. It works okay-ish, the downsides are mainly unpredictability in schedule time (needs to create pod, download image on random node etc. may take a minute or two) and the fact that logs from jobs aren't in one place without some clever aggregation. Aside of that, it's better :)

AleksanderGrzybowski avatar Feb 13 '19 07:02 AleksanderGrzybowski

You might want to take a look at https://github.com/aptible/supercronic — it should be a plug-and-play replacement for cron (just point it at your crontab), but it plays a bit nicer with containers (it won't try to change users, and won't daemonize).

Disclaimer: I'm a contributor to Supercronic :)

krallin avatar Feb 14 '19 08:02 krallin

Just coded the fix for alpine (busybox) linux, published the patched alpine dockers, as below: geekidea/alpine-cron:3.7 geekidea/alpine-cron:3.8 geekidea/alpine-cron:3.9

see more: https://github.com/inter169/systs/blob/master/alpine/crond/README.md

inter169 avatar Mar 15 '19 12:03 inter169

As @inter169 says you need to allow the CAP_SETGID to run crond as user, this can be a security issue if is set to all busybox binary but you can use dcron package instead of busybox's builtin crond and set the CAP_SETGID just on that program. Here is what you need to add for Alpine, using nobody as running user

USER root
# crond needs root, so install dcron and cap package and set the capabilities 
# on dcron binary https://github.com/inter169/systs/blob/master/alpine/crond/README.md
RUN apk add --no-cache dcron libcap && \
    chown nobody:nobody /usr/sbin/crond && \
    setcap cap_setgid=ep /usr/sbin/crond

USER nobody

erseco avatar Apr 30 '20 16:04 erseco

I'm using https://github.com/gjcarneiro/yacron as an alternative

doug1n avatar May 14 '21 01:05 doug1n