unable to run docker as non-root user?

Question

I have tried this post and it did NOT help.

I have created jenkins user and add it to docker group.

I have also switched the user in dockerFile (see below).

I started the container as following

docker run -u jenkins -d -t -p 8080:8080 -v /var/jenkins:/jenkins -P docker-registry:5000/bar/helloworld:001

The container starts fine. but when I look at the process, this is what I have

root     13575     1  1 09:34 ?        00:05:56 /usr/bin/docker daemon -H fd://
root     28409 13575  0 16:13 ?        00:00:00 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8080 -container-ip 172.17.0.2 -container-port 8080

The first one is daemon. so I guess it is ok to be root. but the second one (which I have switched to jenkins user by issuing sudo su jenkins) is showing root. I started the docker as jenkins user. why this process belongs to root?

Here is my dockerfile

#copy jenkins war file to the container
ADD http://mirrors.jenkins-ci.org/war/1.643/jenkins.war /opt/jenkins.war
RUN chmod 644 /opt/jenkins.war
ENV JENKINS_HOME /jenkins


RUN useradd -d /home/jenkins -m -s /bin/bash jenkins
USER jenkins
ENV HOME /home/jenkins
WORKDIR /home/jenkins

# Maven settings
RUN mkdir .m2
ADD settings.xml .m2/settings.xml

ENTRYPOINT ["java", "-jar", "/opt/jenkins.war"]
EXPOSE 8080
CMD [""]

EDIT2

I am certain the container the running. I could attach to the container. I can also browse through web-ui of jenkins, which is only possible if the container has started without errors (jenkins run inside the container)

Here is my command inside the container

ps -ef | grep java
jenkins      1     0  7 19:29 ?        00:00:28 java -jar /opt/jenkins.war

ls -l /jenkins
drwxr-xr-x  2 jenkins jenkins 4096 Jan 11 18:54 jobs

But from the host file system, I see that the newly created "jobs" directory shows as user "admin"

ls -l /var/jenkins/
drwxr-xr-x  2 admin admin 4096 Jan 11 10:54 jobs

Inside the container, the jenkins process (war) is started by "jenkins" user. Once the jenkins starts, it writes to host file system under "admin" user.

Here is my entire dockerFile (NOTE: I don't use the one from here)

FROM centos:7
RUN yum install -y sudo
RUN yum install -y -q unzip
RUN yum install -y -q telnet
RUN yum install -y -q wget
RUN yum install -y -q git

ENV mvn_version 3.2.2

# get maven
RUN wget --no-verbose -O /tmp/apache-maven-$mvn_version.tar.gz http://archive.apache.org/dist/maven/maven-3/$mvn_version/binaries/apache-maven-$mvn_version-bin.tar.gz
# verify checksum
RUN echo "87e5cc81bc4ab9b83986b3e77e6b3095 /tmp/apache-maven-$mvn_version.tar.gz" | md5sum -c

# install maven
RUN tar xzf /tmp/apache-maven-$mvn_version.tar.gz -C /opt/
RUN ln -s /opt/apache-maven-$mvn_version /opt/maven
RUN ln -s /opt/maven/bin/mvn /usr/local/bin
RUN rm -f /tmp/apache-maven-$mvn_version.tar.gz
ENV MAVEN_HOME /opt/maven

# set shell variables for java installation
ENV java_version 1.8.0_11
ENV filename jdk-8u11-linux-x64.tar.gz
ENV downloadlink http://download.oracle.com/otn-pub/java/jdk/8u11-b12/$filename

# download java, accepting the license agreement
RUN wget --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" -O /tmp/$filename $downloadlink

# unpack java
RUN mkdir /opt/java-oracle && tar -zxf /tmp/$filename -C /opt/java-oracle/
ENV JAVA_HOME /opt/java-oracle/jdk$java_version
ENV PATH $JAVA_HOME/bin:$PATH

# configure symbolic links for the java and javac executables
RUN update-alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 20000 && update-alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 20000

# copy jenkins war file to the container
ADD http://mirrors.jenkins-ci.org/war/1.643/jenkins.war /opt/jenkins.war
RUN chmod 644 /opt/jenkins.war
ENV JENKINS_HOME /jenkins

#RUN useradd jenkins
#RUN chown -R jenkins:jenkins /home/jenkins
#RUN chmod -R 700 /home/jenkins
#USER jenkins

RUN useradd -d /home/jenkins -m -s /bin/bash jenkins
#RUN chown -R jenkins:jenkins /home/jenkins
USER jenkins
ENV HOME /home/jenkins
WORKDIR /home/jenkins

# Maven settings
RUN mkdir .m2
ADD settings.xml .m2/settings.xml
USER root
RUN chown -R jenkins:jenkins .m2
USER jenkins

ENTRYPOINT ["java", "-jar", "/opt/jenkins.war"]
EXPOSE 8080
CMD [""] 

Answer 1

The second process

root     28409 13575  0 16:13 ?        00:00:00 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8080 -container-ip 172.17.0.2 -container-port 8080

is NOT the process for your jenkins container but an internal process of the Docker engine to manage the network.

---

If, using the ps command, you cannot find the process which is supposed to run in your docker container, that means your docker container isn't running.

To ease figuring this out, start your container with the following command (adding --name test):

docker run --name test -u jenkins -d -t -p 8080:8080 -v /var/foo:/foo -P docker-registry:5000/bar/helloworld:001

Then type docker ps, you should see your container running. If not, type docker ps -a and you should see with which exit code it crashed.

If you need to know why it crashed, display its logs with docker logs test.

---

To look for the Jenkins process that runs from the official Jenkins docker image, use the following command:

ps aux | grep java

---

EDIT

why does the files seem to be owned by admin from the docker host point of view?

In your docker image, the jenkins user has UID 1000. You can easily verify this with the following command: docker run --rm -u jenkins --entrypoint /bin/id docker-registry:5000/bar/helloworld:001

uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)

On your docker host, UID 1000 is for the admin user. You can verify this with id admin which in your case shows:

uid=1000(admin) gid=1000(admin) groups=1000(admin),10(wheel)

The users which are available in a Docker container are not the ones from the docker host. However it might happen by coincidence that they have the same UID. This is why the ls -l command run on the docker host will tell you the files are owned by the admin user.

In fact the files are owned by the user of UID 1000 which happens to be named admin on the docker host and jenkins on your docker image.