How to work with users in Docker containers?

V

Vigilo Confido2019-07-21 23:19:55

Docker

Vigilo Confido, 2019-07-21 23:19:55

I tried to delve into it on my own, but either diligence or experience with docker containers is not enough.
How does the user parameter work when running docker containers and, most importantly, how to handle it when writing your Dockerfiles?
At the moment, I have seen ready-made containers with parameter processing (for example, mariadb) - but at the same time, often at the first start, it drags the rights in the configured volume to uid=999 (system-coredump) - which gives the impression that the user does not work as a kind of "proxy for rights", forcing all "external interactions" to be carried out from under the specified user.
In self-assembly containers (for example, projects using php-fpm and external volumes), for the time being, UID=xxxx and GID=xxxx values are passed to env variables, which are processed by the entrypoint, creating a user inside the container with the required IDs and starting fpm from him .

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

G

Georg Gaal, 2019-07-22
@Vigilo

> How does the user parameter work when running docker containers and, most importantly, how to handle it when writing your own Dockerfiles?
no way. The user parameter is a crutch that allows the software to run as a non-root user. To explain why to run something in docker under user 0 (root) is long, but in short, it is very bad and not secure. Accordingly, you already understood the correct way:
What else to add. All these problems with chown/chmod only arise if you need to transfer files between the container and the host. If this task is not worth it, then all squats are not needed. And if you still need it, then there are two more ways to do it without conjuring with rights:

docker cp command
using pipe: docker exec container_name cat MY_FILE > path_on_host or similar

P

planc, 2019-07-22
@planc

user - this is a verbal representation for convenience, like domains on the Internet
, the file does not have a parameter user name, user group name, there as ip addresses - user number and user group number, let's
say I'm a dka user on the host uid / gid 1000
I have a folder / tmp / docker with code,
I run debian in a container and add my folder there, which will be /code
I create a user inside the container with uid 1000 gid 1000 (like my user on the host)

[email protected]:/code# groupadd -g 1000 my_docker_user_group
[email protected]:/code# useradd --uid 1000 --gid 1000 my_docker_user

I jump under a new user using su (in the docker file this is the USER directive)
everything, now I can code on the host, but run in a container and I will not have problems with file permissions

V

VadzimZ, 2021-04-30
@VadzimZ

Why fence these constructions inside the container with useradd --uid 1000 --gid 1000 if you can run containers with the --cgroupns host parameter, which will just forward the required uid and guid to the container.
And your files on the host will not change uid to root.

$  docker run -it --rm -v $(pwd):/app --cgroupns host debian:latest bash
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
bd8f6a7501cc: Pull complete 
Digest: sha256:ba4a437377a0c450ac9bb634c3754a17b1f814ce6fa3157c0dc9eef431b29d1f
Status: Downloaded newer image for debian:latest
[email protected]:/# cd app/
[email protected]:/app# ls -la
total 28
drwxrwxr-x 3 1000 1000 4096 Apr 30 11:58 .
drwxr-xr-x 1 root root 4096 Apr 30 13:59 ..
drwxrwxr-x 8 1000 1000 4096 Apr 30 11:59 .git
-rw-rw-r-- 1 1000 1000 1674 Apr 29 20:45 Dockerfile
-rw-rw-r-- 1 1000 1000  491 Apr 30 11:58 README.md