Run cron as non root user

[ankur1000]

I want to create a cronjob as non-root user and without sudo. How do I create a cronjob for the same?

[inl-pd-autotest]

I have a non-privileged user nginx.
On docker build stage I put a crontab file to /etc/crontabs/nginx.

Remember: crond should be started as root at all times.

[amirmasud]

Remember: crond should be started as root at all times.

@inl-pd-autotest
it's really bad news because it prevents the usage on openshift where containers start with non-root random users.

Is there any workaround to do so on openshift or we should find crond alternatives for inside container cronjobs ?

[AleksanderGrzybowski]

I have the same problem on OpenShift, cron daemon dies with "seteuid: Operation not permitted" (probably because file systems are mounted with nosuid option) and the provider I use will not allow root containers to run. Is there any workaround to run cron daemon as non-root user?

[sachingupta771]

Hello team,

i am also facing same issue, please provide something or some workaround to be used until alpine community includes it next updates

[AleksanderGrzybowski]

For the record, on OpenShift I ended up with replacing our old cron-powered scripts with Kubernetes CronJobs and rewrote some parts of initialization script code to work when invoked via CronJob. It works okay-ish, the downsides are mainly unpredictability in schedule time (needs to create pod, download image on random node etc. may take a minute or two) and the fact that logs from jobs aren't in one place without some clever aggregation. Aside of that, it's better :)

[krallin]

You might want to take a look at https://github.com/aptible/supercronic — it should be a plug-and-play replacement for cron (just point it at your crontab), but it plays a bit nicer with containers (it won't try to change users, and won't daemonize).

Disclaimer: I'm a contributor to Supercronic :)

[inter169]

Just coded the fix for alpine (busybox) linux, published the patched alpine dockers, as below:
geekidea/alpine-cron:3.7
geekidea/alpine-cron:3.8
geekidea/alpine-cron:3.9

see more: https://github.com/inter169/systs/blob/master/alpine/crond/README.md

[erseco]

As @inter169 says you need to allow the CAP_SETGID to run crond as user, this can be a security issue if is set to all busybox binary but you can use dcron package instead of busybox's builtin crond and set the CAP_SETGID just on that program. Here is what you need to add for Alpine, using nobody as running user

USER root
# crond needs root, so install dcron and cap package and set the capabilities 
# on dcron binary https://github.com/inter169/systs/blob/master/alpine/crond/README.md
RUN apk add --no-cache dcron libcap && \
    chown nobody:nobody /usr/sbin/crond && \
    setcap cap_setgid=ep /usr/sbin/crond

USER nobody

[doug1n]

I'm using https://github.com/gjcarneiro/yacron as an alternative

[sky-philipalmeida]

Docker file example:

FROM alpine:3.14

RUN apk add --no-cache bash tini curl libcap busybox-suid

COPY entrypoint.sh /

RUN touch \
/etc/crontabs/nobody \
/var/spool/cron/crontabs/cron.update \
/var/spool/cron/crontabs/nobody.new

RUN chown -R nobody \
/entrypoint.sh \
/usr/sbin/crond

RUN setcap cap_setgid=ep /bin/busybox

RUN chmod +x /entrypoint.sh

WORKDIR /

RUN sed -ri 's/^(nobody.*:)\/sbin\/nologin$/\1\/bin\/sh/' /etc/passwd

USER nobody

ENTRYPOINT ["/entrypoint.sh"]

CMD ["/usr/sbin/crond", "-f"]