2 KiB
Users
To run containers securely; in an environment with fewer privileges, a user is necessary.
Wheel
Before creating the user, install doas. To be able to "do as" root when it is required:
# apk add doas
Configure doas through /etc/doas.d/wheel.conf:
permit persist :wheel as root
Adding a user
A user can be added in Alpine Linux with the setup-user script. Here we can specify the name, groups and more:
# setup-user -g wheel <username>
# passwd <username>
You may have to change the shell of the user in /etc/passwd from /sbin/nologin to a shell from /etc/shells. Alpine Linux comes with /bin/ash by default:
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
If you have checked that doas works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:
# passwd -l root
and editing /etc/passwd to change the login shell from /bin/ash to /sbin/nologin:
root:x:0:0:root:/root:/sbin/nologin
User services
The user will have its own service manager, for the management of user containers and other user services. As service manager runsvdir from runit will be used. Therefore install
# apk add runit
Create /etc/init.d/runsvdir-user, which will be the openrc-script for the service manager of the user.
#!/sbin/openrc-run
user="${RC_SVCNAME##*.}"
svdir="/home/${user}/.local/service"
pidfile="/run/runsvdir-user.${user}.pid"
command="/usr/bin/runsvdir"
command_args="$svdir"
command_user="$user"
command_background=true
depend()
{
after network-online
}
Make /etc/init.d/runsvdir-user an executable
# chmod +x /etc/init.d/runsvdir-user
Link the user to /etc/init.d/runsvdir-user
# ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user.<username>
Finally, add the service to the default runlevel
# rc-update add runsvdir-user.<username> default
This process can of course be repeated for several users.