# Users To run containers securely; in an environment with fewer privileges, a user is necessary. ## Wheel Before creating the user, install `doas`. To be able to "do as" root when it is required: ``` # apk add doas ``` Configure `doas` through `/etc/doas.d/wheel.conf`: ``` permit persist :wheel as root ``` ## Adding a user A user can be added in Alpine Linux with the `setup-user` script. Here we can specify the name, groups and more: ``` # setup-user -g wheel # passwd ``` You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default: ``` :x:1234:1234::/home/:/bin/ ``` If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with: ``` # passwd -l root ``` and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`: ``` root:x:0:0:root:/root:/sbin/nologin ``` ## User services The user will have its own service manager, for the management of user containers and other user services. As service manager `runsvdir` from `runit` will be used. Therefore install ``` # apk add runit ``` Create `/etc/init.d/runsvdir-user`, which will be the openrc-script for the service manager of the user. ``` #!/sbin/openrc-run user="${RC_SVCNAME##*.}" svdir="/home/${user}/.local/service" pidfile="/run/runsvdir-user.${user}.pid" command="/usr/bin/runsvdir" command_args="$svdir" command_user="$user" command_background=true depend() { after network-online } ``` Make `/etc/init.d/runsvdir-user` an executable ``` # chmod +x /etc/init.d/runsvdir-user ``` Link the user to `/etc/init.d/runsvdir-user` ``` # ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user. ``` Finally, add the service to the default runlevel ``` # rc-update add runsvdir-user. default ``` > This process can of course be repeated for several users.