Alpine linux add user to group

How do I add a user when I’m using Alpine as a base image?

I’m using alpine (or an image that is based on Alpine) as the base image in my Dockerfile. Which instructions do I need to add to create a user? Eventually I’ll use this user to run the application I’ll place into the container so that the root user does not.

3 Answers 3

Alpine uses the command adduser and addgroup for creating users and groups (rather than useradd and usergroup ).

FROM alpine:latest # Create a group and user RUN addgroup -S appgroup && adduser -S appuser -G appgroup # Tell docker that all future commands should run as the appuser user USER appuser 

The flags for adduser are:

Usage: adduser [OPTIONS] USER [GROUP] Create new user, or add USER to GROUP -h DIR Home directory -g GECOS GECOS field -s SHELL Login shell -G GRP Group -S Create a system user -D Don't assign a password -H Don't create home directory -u UID User id -k SKEL Skeleton directory (/etc/skel)

Or alternatively, you can replace the whole snippet above using this: USER 405 which is the guest user within Alpine Linux.

I’d go with creating a new user because I want that user to have the same UID/GID as the one on the host OS, so that there’s no permission issue when running docker in Linux. (not an issue with macOS/Windows users)

Note that since Alpine is based on BusyBox, its adduser and addgroup commands are different from adduser and addgroup as provided by Debian and Ubuntu which in turn are front ends to useradd and groupadd . Notably, the Debian and Ubuntu commands only support long form options. See: manpages.debian.org/stretch/adduser/adduser.8.en.html

The commands are adduser and addgroup .

Here’s a template for Docker you can use in busybox environments (alpine) as well as Debian-based environments (Ubuntu, etc.):

ENV USER=docker ENV UID=12345 ENV GID=23456 RUN adduser \ --disabled-password \ --gecos "" \ --home "$(pwd)" \ --ingroup "$USER" \ --no-create-home \ --uid "$UID" \ "$USER" 
  • —disabled-password prevents prompt for a password
  • —gecos «» circumvents the prompt for «Full Name» etc. on Debian-based systems
  • —home «$(pwd)» sets the user’s home to the WORKDIR. You may not want this.
  • —no-create-home prevents cruft getting copied into the directory from /etc/skel
Читайте также:  Утилиты линукс для ноутбука

The usage description for these applications is missing the long flags present in the code for adduser and addgroup.

The following long-form flags should work both in alpine as well as debian-derivatives:

adduser

BusyBox v1.28.4 (2018-05-30 10:45:57 UTC) multi-call binary. Usage: adduser [OPTIONS] USER [GROUP] Create new user, or add USER to GROUP --home DIR Home directory --gecos GECOS GECOS field --shell SHELL Login shell --ingroup GRP Group (by name) --system Create a system user --disabled-password Don't assign a password --no-create-home Don't create home directory --uid UID User id 

One thing to note is that if —ingroup isn’t set then the GID is assigned to match the UID. If the GID corresponding to the provided UID already exists adduser will fail.

addgroup

BusyBox v1.28.4 (2018-05-30 10:45:57 UTC) multi-call binary. Usage: addgroup [-g GID] [-S] [USER] GROUP Add a group or add a user to a group --gid GID Group id --system Create a system group 

I discovered all of this while trying to write my own alternative to the fixuid project for running containers as the hosts UID/GID.

The intent is to prepend that script as the first argument to ENTRYPOINT which should cause Docker to infer UID and GID from a relevant bind mount.

An environment variable «TEMPLATE» may be required to determine where the permissions should be inferred from.

(At the time of writing I don’t have documentation for my script. It’s still on the todo list!!)

Источник

usermod equivalent for Alpine Linux

You should be able to use the built-in addgroup command to add the user to a given group:

$ addgroup --help BusyBox v1.29.3 (2019-01-24 07:45:07 UTC) multi-call binary. Usage: addgroup [-g GID] [-S] [USER] GROUP Add a group or add a user to a group -g GID Group id -S Create a system group 

So running addgroup $ $ should update /etc/groups without needing to edit the file directly.

Zak

Updated on September 18, 2022

Comments

I’m building a Docker container, and I need to add my user to a group. usermod is not available in Alpine Linux by default. Apparently, you can add shadow from apk to install usermod , but I would prefer to not install additional packages. Is there an alternative way to add a user to a group, or an equivalent tool to usermod available in Alpine?

Читайте также:  Linux разлогинить всех пользователей

Giacomo1968

Giacomo1968

@davidgo Some people don’t know you can just edit it like that but it’s a good solution. Would need to be scriptable via sed or something like that.

Marco Dufal

shadow ( apk —no-cache add shadow ) is a very viable alternative if you need to retain exact host uid/gid and have no chance to the default commands adduser and addgrup do not support the —non-unique (allow to create users with duplicate (non-unique) UID) flag. Only weights less than 10MiB for those concerned about space consumption.

Источник

User : Przemoc/Todo/Users and groups for AL 3.4

What I wanted to do and did before AL 3.4 release and some fixing done afterwards.

Pre-install/upgrade scripts

Improvements

Make all packages create only system users and groups

(MOSTLY DONE) Call adduser and addgroup with -S option in pre-install/upgrade scripts. It’s mostly done already and only mostly, because 1) some new packages might have been added that aren’t using -S yet and 2) it introduced problems, which aren’t fully fixed yet.

System user creation doesn’t add same named group and uses nogroup as primary group unless explicitly specified via -G .

It means that system user creation ( adduser with -S option present) differs from normal user creation ( adduser without -S option) in more ways than the range of used UIDs and the default GECOS field.

Normal user, when created via adduser , gets its own automatically created group, and this group becomes primary group of that user. Group creation can be avoided if -G option is used, but then already existing group has to be provided there.

System user, when created via adduser , never gets its own automatically created group and by default primary group of that user becomes group called nogroup , unless -G option is used to provide other already existing group.

* ccc056dbf9d3 Add lacking -S option (system) to adduser/addgroup in scripts. [2016-04-25]

Corrections

Fix problems introduced by adding -S to adduser

(MOSTLY DONE) I somehow overlooked different adduser behavior explained in above note and thus my sole adding of -S to adduser calls in commit ccc056dbf9d3 (i.e. without proper -G option and preceding addgroup call when needed) proved to be drastic in effects, i.e. status quo has not been preserved, because primary groups of those users in new Alpine Linux installations has been changed. Alpine Linux 3.4.0 is affected by this.

Lesson relearned. Beware of such small and allegedly «cosmetic» changes!

Pre-install/upgrade scripts are already mostly fixed in master branch of aports repository.

Читайте также:  Диспетчер устройств linux fedora

Packages creating users that were badly touched by commit ccc056dbf9d3 and should have been already fixed:

  • community/caddy
  • community/domoticz
  • community/oscam
  • community/syncthing
  • main/apache2
  • main/aports-build
  • main/atheme-iris
  • main/clamav
  • main/clamsmtp
  • main/coova-chilli
  • main/dhcp
  • main/djbdns
  • main/dovecot
  • main/ez-ipupdate
  • main/fetchmail
  • main/freeswitch
  • main/gitolite
  • main/gnats
  • main/gross
  • main/icecast
  • main/lighttpd
  • main/memcached
  • main/ngircd
  • main/nrpe
  • main/openntpd
  • main/postgrey
  • main/snort
  • main/squid
  • main/transmission
  • main/znc
  • testing/at
  • testing/dbmail
  • testing/dspam
  • testing/opensips
  • testing/pdns
  • testing/qpage
  • testing/rrdbot
  • testing/wt

My commits fixing them are:

* 1de4b02204f7 main/lighttpd: Fix lighttpd user's primary group. [2016-06-03] * f27dface22b3 testing/at: Properly set primary group in .pre-install. [2016-06-07] * 40521bdafd3c main/dovecot: Properly set primary group in .pre-install. [2016-06-07] * 3c1fa46624bd main/: Properly set primary group in .pre-install. [2016-06-07] * a7d67c695ca2 main/[various]: Add group and use it as primary in .pre-* scripts. [2016-06-07] * 5708404c50a7 community/[various]: Add group and use it as primary in .pre-* scripts. [2016-06-07] * a835b6916533 testing/[various]: Add group and use it as primary in .pre-* scripts. [2016-06-07]

They are (apart from the first one) part of patch set:

Patches for main and community are already cherry-picked in 3.4-stable branch as of 2016-06-20.

Following packages were overlooked before:

* 94e0b0631f37 testing/[various]: Add group and use it as primary in .pre-* scripts. [2016-06-20]

Fix problems for those who already installed above mentioned packages in Alpine Linux 3.4.0

Fixes in previous sections work only for people that haven’t installed above mentioned packages within Alpine Linux 3.4.0. Even package removal and reinstallation is not enough, because old entries in /etc/passwd and /etc/group remain. You can remove these old entries before reinstallation using deluser , but before that you have to find all the files owned by that user ( find / -user NAME ) to fix ownership after package reinstallation, as group id will change and user id may change.

We cannot and shouldn’t do such invasive changes in automatic way during upgrade.

I wanted to at least add missing groups and add users to them via upgrades in AL 3.4. (Mind that such users’s primary group will not be changed either, i.e. from nogroup , because user could have changed it on her/his own.) But there wasn’t much interest, even though I provided some patches, like for below examples (so called AL 3.4 band-aids for ccc056dbf9d3 in .pre-* script).

Examples of known problems for people upgrading from Alpine Linux 3.4.0:

  • main/apache2: No apache group. (Default config uses apache:apache , so daemon won’t start.)
  • main/lighttpd: No lighttpd group.

I consider this topic in the context of AL 3.4 closed.

Источник

Оцените статью
Adblock
detector