.. title:: Running as Root Running Workspaces as Root ========================== By default Kasm containers run as a non privileged user with a UID of 1000. This user can launch programs and perform typical workloads, but cannot install new programs using the system package manager. In order to install packages the package manager must be run as root, this document shows the methods for using sudo or the docker run config to run commands as root. .. note:: Packages installed in a running container do not persist when the container is destroyed. To have a package be permanently installed an Admin must build it into a custom image, for more details see the `Custom Images Guide <../how_to/building_images>`_. .. warning:: Running a container as root is not recommended, as it removes one layer of security for preventing a user from breaking out of the container and gaining access to the host system. There are two main methods of running programs inside the container as root: - Altering the **Docker Run Config** to run the whole container as root. - Using **sudo** run individual commands as root. Running whole container as root ------------------------------- Running the container as root is the easiest, as it only requires altering the docker run config, but it comes with some limitations. - If the desktop session refuses to start and enters looping screen of "Creating secure connection" you may have to disable pulse audio. - Some programs, like Mozilla Firefox will refuse to start as root. Enter the **Kasm Workspaces Admin UI**, select **Images**. Edit the image you want to run as root or create a new image. .. figure:: /images/running_as_root/root_edit_image.jpg :width: 100% :align: center **Editing an Image** Modify the **Docker Run Config Override** field to include ``"user":"root"``. For example: .. sourcecode:: json { "hostname":"kasm", "user":"root" } Test launching the image. Running ``whoami`` should display "root". If the image fails to launch and instead cycles through a "Creating image" and a black screen, then edit **Docker Run Config Override** to disable pulseaudio. The resulting field should look like the following example: .. sourcecode:: json { "hostname":"kasm", "user":"root", "environment" : {"START_PULSEAUDIO" : "0"} } If the image launches and ``whoami`` shows "root" that means the config change is successful and all commands are being run as root. Building an Image with sudo --------------------------- Using sudo to escalate is the more robust solution, but it requires building a new image. This only goes over the specific configuration required to get the sudo command working, for detailed instructions on building custom images, please see the `Custom Images Guide <../how_to/building_images>`_. Follow the Custom Images guide to create a custom image, adding the following to the section of the Dockerfile marked "###Customize Container Here###" . .. parsed-literal:: RUN apt-get update \\ && apt-get install -y sudo \\ && useradd -m -d /home/kasm-user -s /bin/bash kasm-user \\ && echo 'kasm-user ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers \\ && rm -rf /var/lib/apt/list/* When testing the image ``sudo whoami`` should show "root". Commands can now be run as root by prepending them with ``sudo``.