WARNING: Running pip as the 'root' user
Solution 1
The way your container is built doesn't add a user, so everything is done as root.
You could create a user and install to that users's home directory by doing something like this;
FROM python:3.8.3-alpine
RUN pip install --upgrade pip
RUN adduser -D myuser
USER myuser
WORKDIR /home/myuser
COPY --chown=myuser:myuser requirements.txt requirements.txt
RUN pip install --user -r requirements.txt
ENV PATH="/home/myuser/.local/bin:${PATH}"
COPY --chown=myuser:myuser . .
CMD ["python", "manage.py", "runserver", "0.0.0.0:8000"]
Solution 2
You can ignore this warning since you create the image for an isolated purpose and it therefore is organizationally as isolated as a virtual environment. Not technically, but that does not matter here.
It usually should not pay off to invest the time and create a virtual environment in an image or add a user as in the other answer, only to avoid the warning since you should not have any issues with this.
Just check pip -V
and pip3 -V
to know whether you need to pay attention not to mistakenly use pip
for Python 2 when you want pip
for Python 3. But that should be it, and if you install only pip for python 3, you will not have that problem anyway.
Solution 3
I don't like ignoring warnings, as one day you will oversee an important one.
Here is a good explanation on best docker practices with python. Search for Example with virtualenv
and you'll find this:
# temp stage
FROM python:3.9-slim as builder
WORKDIR /app
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1
RUN apt-get update && \
apt-get install -y --no-install-recommends gcc
RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
COPY requirements.txt .
RUN pip install -r requirements.txt
# final stage
FROM python:3.9-slim
COPY --from=builder /opt/venv /opt/venv
WORKDIR /app
ENV PATH="/opt/venv/bin:$PATH"
Works like charm. No warnings or alike. BTW they also recommend to create a non root user for security reasons.
EDIT: to get rid of all warnings you may also want to add the following entries to the builder part of your Dockerfile (applies for Debian 8.3.x):
ARG DEBIAN_FRONTEND=noninteractive
ARG DEBCONF_NOWARNINGS="yes"
RUN python -m pip install --upgrade pip && \
...
Related videos on Youtube
V.D.
Updated on May 04, 2022Comments
-
V.D. almost 2 years
I am making simple image of my python Django app in Docker. But at the end of the building container it throws next warning (I am building it on Ubuntu 20.04):
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead
Why does it throw this warning if I am installing Python requirements inside my image? I am building my image using:
sudo docker build -t my_app:1 .
Should I be worried about warning that pip throws, because I know it can break my system?
Here is my Dockerfile:
FROM python:3.8-slim-buster WORKDIR /app COPY requirements.txt requirements.txt RUN pip install -r requirements.txt COPY . . CMD ["python", "manage.py", "runserver", "0.0.0.0:8000"]
-
Justin over 2 years
npm
, and others, will also give you errors/warnings. It's good practice to not run as root, even within containers. You can create a user, as part of your Dockerfile, and use that to install/build/run. -
Karl Knechtel over 2 yearsDo you understand what "root user" means? Do you understand what is causing the process to run as root? When you use
sudo docker build -t my_app:1 .
, what do you think thesudo
part means? -
user550701 over 2 years@KarlKnechtel If I understand correctly, the
RUN pip ...
command in the Dockerfile is run by the container's root user by default, regardless of which host system user invokeddocker build ...
. That is why the accepted answer adds a new user in the Dockerfile. @justin is saying that creating a new docker user is best practices in any case, which is very interesting and perhaps not widely known. -
Karl Knechtel over 2 yearsMy question was addressed to OP, not to Justin.
-
user550701 over 2 years"Do you understand what is causing the process to run as root?" The question is actually what is causing Pip to run as the 'root' user. It's not sudo. It's actually the docker default behavior. If you want
RUN
commands not to run as root, you have to add a user in the Dockerfile.
-
-
Mathilda over 2 yearsI still see the warning until I move
RUN pip install --upgrade pip
belowUSER myuser
-
user550701 over 2 yearsI get
Option d is ambiguous (debug, disabled-login, disabled-password)
because Ubuntu 18.04,adduser
does not have a-D
flag -
user550701 over 2 yearsSome argue that
useradd
is more portable and should be preferred: Dockerfile best practices also suggestsuseradd
instead. -
doraemon over 2 yearsWhen I followed this, pip warns that "Running pip as the 'root' user can result in broken permissions". It seems the python docker official recommendation conflicts with pip's official recommendation. How to handle this
-
Hossein Kalbasi over 2 yearsI'm thinking the same. Wondering if anyone has any objection to this answer! I am not planning to have multiple users inside my docker container, which I inherit from Python:3.9 btw. I don't see why I should make the effort for creating user inside my Dockerfile! It would make it harder to maintain too!
-
alper about 2 yearsshouldn't
RUN pip install --upgrade pip
called after the user is created? -
alper about 2 yearsWhy did you use
--no-install-recommends
? -
markwalker_ about 2 years@alper no, this ensures that the system pip is current before setting up the user and using it.
-
alper about 2 yearsBut root user cannot call it due to
Running pip as the 'root' user
error -
markwalker_ about 2 years@alper it's not an error, it's a warning. So it does run, it just warns you to make sure you're aware of what you're doing
-
alper about 2 yearsThan its better to call as:
pip install --upgrade pip >/dev/null 2>&1
to suppress the warning since you are aware of what you are doing -
HeyMan about 2 yearsI cannot tell you the core reason since this flag is used by the quoted solution linked in my answer. Here is a general explanation of the
--no-install-recommends
flag: askubuntu.com/a/65093/737843. -
MSalters almost 2 years@alper: It's a Docker image. It's not supposed to be used interactively, so you want to install just what is necessary.
-
Franklin Piat almost 2 years
--no-install-recommends
is a Debian flag for apt-get , so in doesn't install package optional dependencies, see unix.stackexchange.com/q/77053/16640