Unable to run crond command in docker container running as non-root

[ghost]

I am using cronie in docker container running as non root. When I run crond command it exit with error

setuid: operation not permitted

Do we have example with non-root docker container having redhat/ubi8-minimal base image.

[hartwork]

https://github.com/aptible/supercronic#why-supercronic could be of interest on the topic of "cron in containers".

[ViliusS]

I'm interested in this too. Running "crond & httpd" entrypoint under ubi base images produces bash-5.1$ crond: can't open or create /var/run/crond.pid: Permission denied.

I've already tried RUN chown nonrootuser:nonrootgroup /usr/sbin/crond && setcap cap_setgid=ep /usr/sbin/crond && setcap cap_setuid=ep /usr/sbin/crond but this didn't work.

Is it possible to get cronie working without root privileges?

[ViliusS]

Found a workaround:

FROM registry.access.redhat.com/ubi9/php-81

USER root
RUN dnf install -y cronie && \
    dnf clean all && \
    chown default:root /var/run && setcap "cap_setuid=ep cap_setgid=ep" /usr/sbin/crond && \
    sed -i 's/\(account     required      pam_unix.so\)/\1 broken_shadow/g' /etc/pam.d/system-auth

# Reset to default application user
USER default
COPY --chown=default:root php-pre-start/run-cron.sh ./php-pre-start/run-cron.sh

RUN (crontab -l; echo "* * * * * your_command_to_schedule") | crontab -

CMD /usr/libexec/s2i/run

run-cron.sh content

#!/bin/bash

crond

This is for ubi based s2i image but can be adapted for other RedHat images I believe. The only caveat, crond process will run as root (which is not always safe) and you won't be able to kill it from inside the rootless image.

It would still be great to somehow have a possibility to run cronie completely rootless.

EDIT: I have updated a workaround with modified PAM configuration. Under RHEL cronie doesn't want to read /etc/shadow file for some reason, even though it is running as setuid=root. Or maybe this is a problem with pam_unix.so. This produces issues when running cronjobs of other users, let's say from /var/spool/cron/default user crontab.

sh-5.1$ crond -x proc
debug flags enabled: proc
[275] cron started
log_it: (CRON 275) STARTUP (1.5.7)
log_it: (CRON 275) INFO (Syslog will be used instead of sendmail.)
log_it: (CRON 275) INFO (RANDOM_DELAY will be scaled with factor 25% if used.)
log_it: (CRON 275) INFO (running with inotify support)
log_it: (CRON 275) INFO (Can't create lock for reboot jobs.): Permission denied
[275] do_command(your_command_to_schedule, (default,1001,0))
[275] main process returning to work
log_it: (default 277) PAM ERROR (Authentication service cannot retrieve authentication info)
log_it: (default 277) FAILED to authorize user with PAM (Authentication service cannot retrieve authentication info)
[275] sigchld...pid #277 died, stat=1
[275] sigchld...no children

Adding broken_shadow for pam_unix.so solves the issue. That's probably another thing to consider if cronie would be allowed to run as non-root user one day.