lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity
documentation/docs/alpine-server-setup/post-install/users.md

92 lines
No EOL
2 KiB
Markdown
Raw Blame History

# Users
To run containers securely; in an environment with fewer privileges, a user is necessary.
## Wheel
Before creating the user, install `doas`. To be able to "do as" root when it is required:
```
# apk add doas
```
Configure `doas` through `/etc/doas.d/main.conf`:
```
permit persist :wheel as root
```
## Adding a user
A user can be added in Alpine Linux with the `setup-user` script. Here we can specify the name, groups and more:
```
# setup-user -g wheel <username>
# passwd <username>
```
You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:
```
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
```
If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:
```
# passwd -l root
```
and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:
```
root:x:0:0:root:/root:/sbin/nologin
```
## User services
The user will have its own service manager, for the management of user containers and other user services. As service manager `runsvdir` from `runit` will be used. Therefore install
```
# apk add runit
```
Create `/etc/init.d/runsvdir-user`, which will be the openrc-script for the service manager of the user.
```
#!/sbin/openrc-run
user="${RC_SVCNAME##*.}"
svdir="/home/${user}/.local/service"
pidfile="/run/runsvdir-user.${user}.pid"
command="/usr/bin/runsvdir"
command_args="$svdir"
command_user="$user"
command_background=true
depend()
{
after network-online
}
```
Make `/etc/init.d/runsvdir-user` an executable
```
# chmod +x /etc/init.d/runsvdir-user
```
Link the user to `/etc/init.d/runsvdir-user`
```
# ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user.<username>
```
Finally, add the service to the default runlevel
```
# rc-update add runsvdir-user.<username> default
```
> This process can of course be repeated for several users.
Reference in a new issue View git blame Copy permalink