“Don't run Bundler as root.”

[elia]

Maybe it can be solved by using --system

Also IIRC avoiding to run as root inside the container's a good practice security-wise (I may be wrong or out of date tho)

[janpieper]

I have the same problem.

Dockerfile

FROM rails:onbuild

Output

Sending build context to Docker daemon 3.246 MB
Sending build context to Docker daemon 
Step 0 : FROM rails:onbuild
Pulling repository rails
951d1b8fb6fe: Download complete 
511136ea3c5a: Download complete 
a70fb0647e6e: Download complete 
431dac4e3917: Download complete 
b31651d76650: Download complete 
4f442c2069ca: Download complete 
0ed331685b4f: Download complete 
1b631079e7c1: Download complete 
ea8073371d8e: Download complete 
82e1f245c8b8: Download complete 
3f0a5e11e909: Download complete 
227510c3fed6: Download complete 
1be3121d8376: Download complete 
1110cda503c8: Download complete 
bda7ba8b8c00: Download complete 
273c8dc17160: Download complete 
9a7d33d20c4c: Download complete 
0d043d8cbf98: Download complete 
8cacfb2010b4: Download complete 
7f21724ebabb: Download complete 
# Executing 4 build triggers
Step onbuild-0 : ADD Gemfile /usr/src/app/
 ---> 55ecf158c552
Step onbuild-1 : ADD Gemfile.lock /usr/src/app/
 ---> 367e3fdadf49
Step onbuild-2 : RUN bundle install --system
 ---> Running in 727abdaad9ad
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and
installing your bundle as root will break this application for all non-root
users on this machine.
Your Ruby version is 2.1.2, but your Gemfile specified 2.1.1
2014/09/28 11:15:15 The command [/bin/sh -c bundle install --system] returned a non-zero code: 18

Edit: It failed with exit code 18 because my Gemfile wants ruby 2.1.1 and 2.1.2 is installed in the container.

[yosifkit]

@elia, as you point out, we use --system and that does not suppress the warning.

Aside from possible security issues (if you don't trust the code) when running as root, the only issue is that "installing your bundle as root will break this application for all non-root users on this machine" which has no bearing on the containerized app since there are no other users within the container.

[elia]

Sorry for suggesting --system, I misread the source. The issue is mainly cosmetic 💄

I don't think the security thing is necessarily related to trusting the code, any bug that can lead to code execution in the container is worse if the containerized user is root vs normal user. That said, it's about cosmetics.

Anyways looking at bundler's source there's not much that can be done, the warning messages is always shown if the user's root.

[tianon]

We could use non-root and just allow passwordless sudo (either generally, or just for the commands that bundle runs), but in that case I really don't see any benefit since we'd be running as root anyhow. Running as root is also the only way (currently) to bind to privileged ports (see moby/moby#8460), which isn't necessarily common for rails applications, but is a consideration IMO.

[yosifkit]

This is just a warning. Closing for now. Feel free to post new information if I am wrong.

[Arcrammer]

So how do we get past the message, then?

[kilianc]

+1

[Arcrammer]

@kilianc I've figured out how to install Rails in Docker, although I don't completely understand which part of my Dockerfile is leveraging this problem. Anyway! Here's my Dockerfile.

If you can get this to work let me know and if you can figure out how it helps me bypass this problem I'd appreciate it. Personally I think it's all because I extend ruby:latest instead of ubuntu:latest.

[kilianc]

@Arcrammer probably changing your $HOME does the trick

[cbliard]

From bundler 1.11.0.pre.1 (2015-11-29), there is a silence_root_warning setting to silence the warning when bundle install is run as root.

So to remove the warning, add this to your Dockerfile:

RUN bundle config --global silence_root_warning 1