Running Workspaces as Root
By default Kasm containers run as a non privileged user with a UID of 1000. This user can launch programs and perform typical workloads, but cannot install new programs using the system package manager.
In order to install packages the package manager must be run as root, this document shows the methods for using sudo or the docker run config to run commands as root.
Note
Packages installed in a running container do not persist when the container is destroyed. To have a package be permanently installed an Admin must build it into a custom Workspace, for more details see the Custom Images Guide.
Warning
Running a container as root is not recommended, as it removes one layer of security for preventing a user from breaking out of the container and gaining access to the host system.
There are two main methods of running programs inside the container as root:
Altering the Docker Run Config to run the whole container as root.
Using sudo run individual commands as root.
Running whole container as root
Running the container as root is the easiest, as it only requires altering the docker run config, but it comes with some limitations.
If the desktop session refuses to start and enters looping screen of “Creating secure connection” you may have to disable pulse audio.
Some programs, like Mozilla Firefox will refuse to start as root.
Enter the Kasm Workspaces Admin UI, select Workspaces. Edit the Workspace you want to run as root or create a new Workspace.
Modify the Docker Run Config Override field to include "user":"root"
. For example:
{ "hostname":"kasm", "user":"root" }
Test launching the Workspace. Running whoami
should display “root”.
If the Workspace fails to launch and instead cycles through a “Creating Workspace” and a black screen, then edit Docker Run Config Override to disable pulseaudio.
The resulting field should look like the following example:
{ "hostname":"kasm", "user":"root", "environment" : {"START_PULSEAUDIO" : "0"} }
If the Workspace launches and whoami
shows “root” that means the config change is successful and all commands are being run as root.
Building a Workspace with sudo
Using sudo to escalate is the more robust solution, but it requires building a new Workspace.
This only goes over the specific configuration required to get the sudo command working, for detailed instructions on building custom images, please see the Custom Images Guide.
Follow the Custom Images guide to create a custom Workspace, adding the following to the section of the Dockerfile marked “###Customize Container Here###” .
RUN apt-get update \ && apt-get install -y sudo \ && echo 'kasm-user ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers \ && rm -rf /var/lib/apt/list/*
When testing the Workspace sudo whoami
should show “root”.
Commands can now be run as root by prepending them with sudo
.