Running Workspaces as Root

By default Kasm containers run as a non privileged user with a UID of 1000. This user can launch programs and perform typical workloads, but cannot install new programs using the system package manager.

In order to install packages the package manager must be run as root, this document shows the methods for using sudo or the docker run config to run commands as root.

Note

Packages installed in a running container do not persist when the container is destroyed. To have a package be permanently installed an Admin must build it into a custom Workspace, for more details see the Custom Images Guide.

Warning

Running a container as root is not recommended, as it removes one layer of security for preventing a user from breaking out of the container and gaining access to the host system.

There are two main methods of running programs inside the container as root:

  • Altering the Docker Run Config to run the whole container as root.

  • Using sudo run individual commands as root.

Running whole container as root

Running the container as root is the easiest, as it only requires altering the docker run config, but it comes with some limitations.

  • If the desktop session refuses to start and enters looping screen of “Creating secure connection” you may have to disable pulse audio.

  • Some programs, like Mozilla Firefox will refuse to start as root.

Enter the Kasm Workspaces Admin UI, select Workspaces. Edit the Workspace you want to run as root or create a new Workspace.

../_images/root_edit_image.jpg

Editing a Workspace

Modify the Docker Run Config Override field to include "user":"root". For example:

{
    "hostname":"kasm",
    "user":"root"
}

Test launching the Workspace. Running whoami should display “root”.

If the Workspace fails to launch and instead cycles through a “Creating Workspace” and a black screen, then edit Docker Run Config Override to disable pulseaudio.

The resulting field should look like the following example:

{
    "hostname":"kasm",
    "user":"root",
    "environment" : {"START_PULSEAUDIO" : "0"}
}

If the Workspace launches and whoami shows “root” that means the config change is successful and all commands are being run as root.

Building a Workspace with sudo

Using sudo to escalate is the more robust solution, but it requires building a new Workspace.

This only goes over the specific configuration required to get the sudo command working, for detailed instructions on building custom images, please see the Custom Images Guide.

Follow the Custom Images guide to create a custom Workspace, adding the following to the section of the Dockerfile marked “###Customize Container Here###” .

RUN apt-get update \
    && apt-get install -y sudo \
    && echo 'kasm-user ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers \
    && rm -rf /var/lib/apt/list/*

When testing the Workspace sudo whoami should show “root”.

Commands can now be run as root by prepending them with sudo.