Unable to run container using non-root user

[minibalki]

I am trying to run docker-openldap container with non-root user openldap

1. Logged in to host system with user openldap $ id uid=1002(openldap) gid=1002(openldap) groups=1002(openldap),0(root),982(docker)

2. Start openldap container $ docker run --name openldap1 -p 1636:636 -h docker_container2.local -e LDAP_OPENLDAP_UID=1002 -e LDAP_OPENLDAP_GID=1002 -e LDAP_TLS_VERIFY_CLIENT=allow -e LDAP_DOMAIN=trialorg.local -e LDAP_ADMIN_PASSWORD=dmanager -e LDAP_CONFIG_PASSWORD=dconfig -e LDAP_BASE_DN=o=trialorg.local -e LDAP_ORGANISATION=test --detach osixia/openldap:1.4.0 --loglevel debug
3. The debug log contains the below details

openldap user and group adjustments get current openldap uid/gid info inside container CUR_USER_UID (911) does't match LDAP_OPENLDAP_UID (1002), adjusting... CUR_USER_GID (911) does't match LDAP_OPENLDAP_GID (1002), adjusting... openldap GID/UID User uid: 1002 User gid: 1002 uid/gid changed: true updating file uid/gid ownership

4. Go to container and check user id $ docker exec -it openldap1 bash root@docker_container2:/# id uid=0(root) gid=0(root) groups=0(root)

5. Check process status root@docker_container2:/# ps -eaf UID PID PPID C STIME TTY TIME CMD root 1 0 0 20:23 ? 00:00:00 /usr/bin/python3 -u /container/tool/run --loglevel debug openldap 518 1 0 20:23 ? 00:00:00 /usr/sbin/slapd -h ldap://docker_container2.local:389 ldaps://docker_container2.local:636 ldapi:/// -u openldap

6. Check openldap UID root@docker_container2:/# id openldap uid=1002(openldap) gid=1002(openldap) groups=1002(openldap)

As mentioned above, the slapd service is running with user 'openldap' and having uid and gid same as that of host uid and gid, but container is starting with user root. Is there any option to change the uid in step4 to 1002 (uid of openldap). Tried using --user option but container is not starting, getting below messages in the logs

*** CONTAINER_LOG_LEVEL = 4 (debug) *** Run commands before finish... *** Killing all processes...

Any assistance you can provide would be greatly appreciated.

[marcin-krystianc]

I have exactly the same problem because in our environment we are not allowed to run Docker containers as root.

[guenichone]

Same here because of our kubernetes security configuration.

[creasman]

Same for me. It would be nice to have a way to run this image as non-root.

[Escaflow]

looks like the base image can't be used as a non root user:

root@8d3c488a89dd:/# su openldap /container/tool/run
/container/tool/run: 4: /container/tool/run: import: not found
/container/tool/run: 5: /container/tool/run: from: not found
/container/tool/run: 7: /container/tool/run: Syntax error: "(" unexpected
root@8d3c488a89dd:/# ls /usr/bin/python3
/usr/bin/python3
root@8d3c488a89dd:/# su openldap /usr/bin/python3 /container/tool/run
@�X8��SA�python3: 4: /usr/bin/python3: D!����QHB�

         �Q���!��*QP

� x��@���!!
5B�B@�8XX �CH�� 2 � tB�: not found
/usr/bin/python3: 1: /usr/bin/python3: cannot create �R]@�J@8
                                                             @�@@@@@h��@�@@@

                                                                            BB�#�#0%0e0e��������?�����X
ȍ
 ��?����@��@�@DDP�td��9��y��y$$Q�tdR�td��?����``/lib64/ld-linux-x86-64.so.2GNUGNU���}>S���GYj��@m�-��،Q
                                                                                                       �P/container/tool/run��F��!��pC
                                                                                                                                      �: Directory nonexistent
/usr/bin/python3: 1: /usr/bin/python3: ELF: not found
/usr/bin/python3: 2: /usr/bin/python3: Syntax error: Unterminated quoted string
root@8d3c488a89dd:/#

Sadly im not a python guy so i have no clue why its working as root but not as openldap user.