WARNING: Running pip as the 'root' user

python django docker ubuntu pip

52,019

Solution 1

The way your container is built doesn't add a user, so everything is done as root.

You could create a user and install to that users's home directory by doing something like this;

FROM python:3.8.3-alpine

RUN pip install --upgrade pip

RUN adduser -D myuser
USER myuser
WORKDIR /home/myuser

COPY --chown=myuser:myuser requirements.txt requirements.txt
RUN pip install --user -r requirements.txt

ENV PATH="/home/myuser/.local/bin:${PATH}"

COPY --chown=myuser:myuser . .

CMD ["python", "manage.py", "runserver", "0.0.0.0:8000"]

Solution 2

You can ignore this warning since you create the image for an isolated purpose and it therefore is organizationally as isolated as a virtual environment. Not technically, but that does not matter here.

It usually should not pay off to invest the time and create a virtual environment in an image or add a user as in the other answer, only to avoid the warning since you should not have any issues with this.

Just check pip -V and pip3 -V to know whether you need to pay attention not to mistakenly use pip for Python 2 when you want pip for Python 3. But that should be it, and if you install only pip for python 3, you will not have that problem anyway.

Solution 3

I don't like ignoring warnings, as one day you will oversee an important one.

Here is a good explanation on best docker practices with python. Search for Example with virtualenv and you'll find this:

# temp stage
FROM python:3.9-slim as builder

WORKDIR /app

ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1

RUN apt-get update && \
    apt-get install -y --no-install-recommends gcc

RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"

COPY requirements.txt .
RUN pip install -r requirements.txt


# final stage
FROM python:3.9-slim

COPY --from=builder /opt/venv /opt/venv

WORKDIR /app

ENV PATH="/opt/venv/bin:$PATH"

Works like charm. No warnings or alike. BTW they also recommend to create a non root user for security reasons.

EDIT: to get rid of all warnings you may also want to add the following entries to the builder part of your Dockerfile (applies for Debian 8.3.x):

ARG DEBIAN_FRONTEND=noninteractive
ARG DEBCONF_NOWARNINGS="yes"

RUN python -m pip install --upgrade pip && \
    ...

52,019

V.D.

Updated on May 04, 2022

Comments

V.D. almost 2 years
I am making simple image of my python Django app in Docker. But at the end of the building container it throws next warning (I am building it on Ubuntu 20.04):

WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead

Why does it throw this warning if I am installing Python requirements inside my image? I am building my image using:
```
sudo docker build -t my_app:1 .
```
Should I be worried about warning that pip throws, because I know it can break my system?

Here is my Dockerfile:
```
FROM python:3.8-slim-buster

WORKDIR /app
COPY requirements.txt requirements.txt
RUN pip install -r requirements.txt
COPY . .
CMD ["python", "manage.py", "runserver", "0.0.0.0:8000"]
```
- Justin over 2 years
  
  npm, and others, will also give you errors/warnings. It's good practice to not run as root, even within containers. You can create a user, as part of your Dockerfile, and use that to install/build/run.
- Karl Knechtel over 2 years
  
  Do you understand what "root user" means? Do you understand what is causing the process to run as root? When you use sudo docker build -t my_app:1 ., what do you think the sudo part means?
- user550701 over 2 years
  
  @KarlKnechtel If I understand correctly, the RUN pip ... command in the Dockerfile is run by the container's root user by default, regardless of which host system user invoked docker build .... That is why the accepted answer adds a new user in the Dockerfile. @justin is saying that creating a new docker user is best practices in any case, which is very interesting and perhaps not widely known.
- Karl Knechtel over 2 years
  
  My question was addressed to OP, not to Justin.
- user550701 over 2 years
  
  "Do you understand what is causing the process to run as root?" The question is actually what is causing Pip to run as the 'root' user. It's not sudo. It's actually the docker default behavior. If you want RUN commands not to run as root, you have to add a user in the Dockerfile.
Mathilda over 2 years

I still see the warning until I move RUN pip install --upgrade pip below USER myuser
user550701 over 2 years

I get Option d is ambiguous (debug, disabled-login, disabled-password) because Ubuntu 18.04, adduser does not have a -D flag
user550701 over 2 years

Some argue that useradd is more portable and should be preferred: Dockerfile best practices also suggests useradd instead.
doraemon over 2 years

When I followed this, pip warns that "Running pip as the 'root' user can result in broken permissions". It seems the python docker official recommendation conflicts with pip's official recommendation. How to handle this
Hossein Kalbasi over 2 years

I'm thinking the same. Wondering if anyone has any objection to this answer! I am not planning to have multiple users inside my docker container, which I inherit from Python:3.9 btw. I don't see why I should make the effort for creating user inside my Dockerfile! It would make it harder to maintain too!
alper about 2 years

shouldn't RUN pip install --upgrade pip called after the user is created?
alper about 2 years

Why did you use --no-install-recommends?
markwalker_ about 2 years

@alper no, this ensures that the system pip is current before setting up the user and using it.
alper about 2 years

But root user cannot call it due to Running pip as the 'root' usererror
markwalker_ about 2 years

@alper it's not an error, it's a warning. So it does run, it just warns you to make sure you're aware of what you're doing
alper about 2 years

Than its better to call as: pip install --upgrade pip >/dev/null 2>&1 to suppress the warning since you are aware of what you are doing
HeyMan about 2 years

I cannot tell you the core reason since this flag is used by the quoted solution linked in my answer. Here is a general explanation of the --no-install-recommends flag: askubuntu.com/a/65093/737843.
MSalters almost 2 years

@alper: It's a Docker image. It's not supposed to be used interactively, so you want to install just what is necessary.
Franklin Piat almost 2 years

--no-install-recommends is a Debian flag for apt-get , so in doesn't install package optional dependencies, see unix.stackexchange.com/q/77053/16640