Docker-alpine: Run cron as non root user

Created on 9 Feb 2018 · 9Comments · Source: gliderlabs/docker-alpine

I want to create a cronjob as non-root user and without sudo. How do I create a cronjob for the same?

Source

ankur1000

👍4

Most helpful comment

As @inter169 says you need to allow the CAP_SETGID to run crond as user, this can be a security issue if is set to all busybox binary but you can use dcron package instead of busybox's builtin crond and set the CAP_SETGID just on that program. Here is what you need to add for Alpine, using nobody as running user

USER root
# crond needs root, so install dcron and cap package and set the capabilities 
# on dcron binary https://github.com/inter169/systs/blob/master/alpine/crond/README.md
RUN apk add --no-cache dcron libcap && \
    chown nobody:nobody /usr/sbin/crond && \
    setcap cap_setgid=ep /usr/sbin/crond

USER nobody

erseco on 30 Apr 2020

👍9

All 9 comments

I have a non-privileged user nginx.
On docker build stage I put a crontab file to /etc/crontabs/nginx.

Remember: crond should be started as root at all times.

inl-pd-autotest on 4 Jul 2018

👍1

Remember: crond should be started as root at all times.

@inl-pd-autotest
it's really bad news because it prevents the usage on openshift where containers start with non-root random users.

Is there any workaround to do so on openshift or we should find crond alternatives for inside container cronjobs ?

amirmasud on 11 Aug 2018

I have the same problem on OpenShift, cron daemon dies with "seteuid: Operation not permitted" (probably because file systems are mounted with nosuid option) and the provider I use will not allow root containers to run. Is there any workaround to run cron daemon as non-root user?

AleksanderGrzybowski on 18 Sep 2018

👍1

Hello team,

i am also facing same issue, please provide something or some workaround to be used until alpine community includes it next updates

sachingupta771 on 13 Feb 2019

For the record, on OpenShift I ended up with replacing our old cron-powered scripts with Kubernetes CronJobs and rewrote some parts of initialization script code to work when invoked via CronJob. It works okay-ish, the downsides are mainly unpredictability in schedule time (needs to create pod, download image on random node etc. may take a minute or two) and the fact that logs from jobs aren't in one place without some clever aggregation. Aside of that, it's better :)

AleksanderGrzybowski on 13 Feb 2019

👎3

You might want to take a look at https://github.com/aptible/supercronic — it should be a plug-and-play replacement for cron (just point it at your crontab), but it plays a bit nicer with containers (it won't try to change users, and won't daemonize).

Disclaimer: I'm a contributor to Supercronic :)

krallin on 14 Feb 2019

👍7

Just coded the fix for alpine (busybox) linux, published the patched alpine dockers, as below:
geekidea/alpine-cron:3.7
geekidea/alpine-cron:3.8
geekidea/alpine-cron:3.9

see more: https://github.com/inter169/systs/blob/master/alpine/crond/README.md

inter169 on 15 Mar 2019

👍5

USER root
# crond needs root, so install dcron and cap package and set the capabilities 
# on dcron binary https://github.com/inter169/systs/blob/master/alpine/crond/README.md
RUN apk add --no-cache dcron libcap && \
    chown nobody:nobody /usr/sbin/crond && \
    setcap cap_setgid=ep /usr/sbin/crond

USER nobody

erseco on 30 Apr 2020

👍9

I'm using https://github.com/gjcarneiro/yacron as an alternative