Skip to content

Run containers as non-root user with Docker --user support #127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
brycelelbach wants to merge 24 commits into
base: main
Choose a base branch
from
Open

Run containers as non-root user with Docker --user support #127

brycelelbach wants to merge 24 commits into from
+528 −276

Conversation

@brycelelbach
Copy link
Collaborator

@brycelelbach brycelelbach commented Jan 26, 2026
edited
Loading

Summary

This PR refactors the Docker container setup to run as a non-root user, improving security while maintaining full functionality. The implementation uses a unified entrypoint system with gosu for user switching and preserves passwordless sudo for operations that require root privileges.

Key Changes

Unified Entrypoint Architecture

  • New brev/entrypoint.bash - Main dispatcher that handles user creation and delegates to service-specific scripts
  • Service-specific entrypoints: entrypoint-base.bash, entrypoint-jupyter.bash, entrypoint-nsight.bash, entrypoint-shell.bash
  • User-level scripts: entrypoint-base-user.bash, entrypoint-jupyter-user.bash (run as target user via gosu)

User Management

  • Containers start as root, create a user dynamically based on ACH_UID/ACH_GID/ACH_USER environment variables (defaults to UID 1000)
  • Uses gosu for secure user switching (avoids TTY and signal issues with sudo)
  • Environment setup (Jupyter config, IPython startup scripts, Git safe directory) happens in the main entrypoint
  • All users have passwordless sudo with environment passthrough for privileged operations

Development Environment

  • brev/dev-common.bash replaces dev-mount.bash - Exports ACH_UID/ACH_GID/ACH_USER for Docker Compose
  • Removed bindfs dependency entirely - no more FUSE mounts needed
  • Simplified dev-start.bash, dev-stop.bash, dev-test.bash scripts

Docker Configuration

  • All 5 tutorial Dockerfiles updated:
    • Install gosu and sudo
    • Enable passwordless sudo with environment/path passthrough
    • Remove static user creation (now dynamic in entrypoint)
  • All docker-compose.yml files updated:
    • Services run as user: root (entrypoint handles user switching)
    • ACH_USER, ACH_UID, ACH_GID passed through environment

Nsight Streamer Integration

  • entrypoint-nsight.bash runs as root, sets up environment, then delegates to nsight streamer's own entrypoint
  • Fixed container restart issues by cleaning up symlinks/directories that nsight streamer creates unconditionally
  • Copies required config files to dynamically created user's home directory

Profiling Tools

  • Updated notebooks to invoke nsys and ncu with sudo for full profiling capabilities
  • Sudo preserves environment and PATH (via sudoers configuration)

Bugfixes

  • Fixed ownership of directories and log files created in entrypoint
  • Pinned scikit-learn version in accelerated-python tutorial for cuML compatibility
  • Updated docker-recipe.py for stdpar tutorial

Files Modified

New files:

  • brev/entrypoint.bash - Main entrypoint dispatcher
  • brev/entrypoint-base.bash, entrypoint-jupyter.bash, entrypoint-nsight.bash, entrypoint-shell.bash - Service entrypoints
  • brev/entrypoint-base-user.bash, entrypoint-jupyter-user.bash - User-level scripts
  • brev/dev-common.bash - Development environment helpers

Removed files:

  • brev/dev-mount.bash - Replaced by dev-common.bash
  • brev/nsight-start.bash - Replaced by entrypoint-nsight.bash
  • brev/base-start.bash, brev/jupyter-start.bash - Renamed to entrypoint-*-user.bash

Updated files:

  • All 5 tutorial Dockerfiles
  • All 5 tutorial docker-compose.yml files
  • brev/dev-start.bash, brev/dev-stop.bash, brev/dev-test.bash, brev/dev-shell.bash
  • brev/jupyter-generate-plugin-settings.bash
  • CONTRIBUTING.md - Removed bindfs references
  • Multiple notebooks to use sudo for profiling tools

Benefits

  • No bindfs dependency - simpler setup, no FUSE required
  • Better security - containers run as non-root by default
  • Consistent file ownership - files created match host user automatically
  • Full profiling support - nsys/ncu work with full features via sudo
  • Restartable containers - nsight container properly handles restarts
  • Cross-platform - works on any system with Docker

@github-actions
Copy link
Contributor

github-actions bot commented Jan 27, 2026
edited
Loading

❌ Link Check Failed

Broken links were detected in this PR.

Please check the workflow run logs for details on which links are broken.

Common fixes:

  1. Typo in URL - Check for spelling mistakes in the link
  2. Outdated link - The page may have moved or been deleted
  3. Relative path issue - Ensure relative links use the correct path
  4. External site down - If the external site is temporarily down, you can add it to brev/.lycheeignore

To test links locally:

./brev/test-links.bash .

📚 Lychee documentation

@brycelelbach brycelelbach force-pushed the non-root branch 2 times, most recently from 598c498 to 154fc9b Compare January 31, 2026 01:48
@brycelelbach
Docker: Refactor tutorials to run as non-root. Remove bindfs mount se…
850846b 
…tup and cleanup functions, replacing them with environment variable exports for user ID and group ID. Adjust Docker Compose files to set user permissions dynamically based on host user. Introduce user-setup script for runtime environment configuration.
@brycelelbach
Docker: Fix non-root execution issues. Remove 'set -eu' from user-set…
4bc2da2 
…up.bash since it's sourced via BASH_ENV and affects all subsequent scripts. Use safe parameter expansion in jupyter-start.bash. Configure nsight service to start as root but switch to HOST_UID via USER environment variable. Add USER to common-service environment block for all containers.
@brycelelbach
Docker: Refactor user creation into dev-common.bash. Rename user-setu…
42a1e53 
…p.bash to user-env.bash and dev-mount.bash to dev-common.bash. Add shell-start.bash for interactive shell sessions.
@brycelelbach
Docker: Use gosu for user switching instead of sudo.
7cfde2a
@brycelelbach
Docker: Refactor entrypoints to use a common dispatcher with service-…
45e7091 
…specific scripts.
@brycelelbach
Docker: Fix permissions for new entrypoint scripts.
edee809
@brycelelbach
Docker: Pass through environment and path when sudoing.
4044cbb
@brycelelbach
Docker: Update stdpar docker-recipe.py that was inadvertantly ignored.
ebb1da4
@brycelelbach
Tutorials: Invoke nsys/ncu as root so that we get full profiling feat…
800572d 
…ures.
@brycelelbach
Docker: Move user setup to entrypoint and remove bashrc.bash.
b00e5e9
@brycelelbach
Docker: Fix ownership of directories created in entrypoint.
1b7f468
@brycelelbach
Docker: Fix permissions of existing log files in entrypoint.
72c9273
@brycelelbach
Tutorials/Accelerated Python: Pin scikit-learn version to ensure it w…
26894b7 
…orks with cuML.
@brycelelbach
Docker: Fix nsight container restart by properly cleaning up symlinks…
906847c 
… and directories.
@brycelelbach
Docker: Fix nsight service failure when user group doesn't exist and …
806cc26 
…add restart-loop detection to tests.
@brycelelbach
Docker: Fix entrypoint exit code 2 when target GID doesn't exist.
13b906d
@brycelelbach
Docker: Fix entrypoint failure when target UID already exists.
5942fcc
@brycelelbach
Docker: Fix nsight entrypoint when reusing existing nvidia user.
8f87474
@brycelelbach
Docker: Don't create /accelerated-computing-hub/logs as root because …
309412d 
…it fails with NFS root squashing.
@brycelelbach
Docker: Always use gosu when setting up user directories to avoid per…
6a1e37f 
…mission errors in the Nsight service.
@brycelelbach
Docker: Install gosu in entrypoint.bash because the Nsight Streamer c…
daaa264 
…ontainer doesn't have it.
@brycelelbach
Tutorials/CUDA Tile: Update package version requirements to fix numba…
38fc952 
…-cuda issues.
@brycelelbach
Tutorials/CUDA Tile: Install PyTorch first so it doesn't clobber CUDA…
4fdc1d8 
… pip packages.
@brycelelbach
Tutorials/cuTile Python: Add Numba CUDA SIMT vector add to cuTile vec…
d8adc5d 
…tor add example for comparison, improve benchmarking, and add parameter sweeping.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brycelelbach