CODEWITHSUNDEEP
dockerdockerfile
batilei
batilei

Reputation: 431

Run docker as root verus non-root

Get confusing about "run docker as non-root vs root user".

First question (run as non-root user): based on Post-installation steps for Linux, to run docker as non-root, we create the docker group and add the user to it. Yet the article claims "The docker group grants privileges equivalent to the root user". So if I understand this sentence correctly, we don't run the docker as root, but we run it as a user(in docker group) who is as powerful as root?

Second question (run as root user): assume I followed the steps above (create docker group and add user to it). Yet I specify "USER root" in a Dockerfile (example below). When I run this container, it will run as root regardless of the setting above, correct?

FROM debian:stretch
USER root
CMD["echo", "hello"]

Upvotes: 6

Views: 13404

Answers (2)

yamenk
yamenk

Reputation: 51738

The docker group grants privileges equivalent to the root user

By default yes. This is also true for any user that can run a docker container on the machine.

The reason is that by default when you are running as root inside the container, this will map to root on the host machine. Thus you can bind some sensitive folders from the host onto the container, and execute privileged actions on those mounts since the user inside the container is root (pid 0).

The solution for that is to enable the user-namespace that basically would map the root user inside the container into a non-root user on the machine.

Second question (run as root user): assume I followed the steps above (create docker group and add user to it). Yet I specify "USER root" in a Dockerfile (example below). When I run this container, it will run as root regardless of the setting above, correct?

There are several points here:

  • By default, USER root is the default, so you don't have to specify it. (Unless the base image explicitly sets a user other than root)
  • From the perspective of the host machine, a docker container is just a normal process. Every process has an owner. This owner is the host machine user that executed the docker runcommand. The USER root instruction has nothing to do with this owner. The USER instruction only specifies the user inside the container that will start the process inside the container that is different from the owner of the container.

Upvotes: 5

Ignacio Millán
Ignacio Millán

Reputation: 8026

OK there are two different topics here:

Your first question refers to the permissions for your local linux users to access to the docker socket (that means, to execute docker commands like docker run, docker ps, etc.). Docker daemon itself is always run by root, and by adding another user to docker group you grant permissions to use that daemon.

But the second question refers to the user inside a container. It has nothing to do with the docker group mentioned above, nor with the user you use to run docker commands.

You can choose any user to run inside the containers with USER <any user> in your Dockerfile, regardless the user you use outside the container to build or run that image.

Upvotes: 4

Related Questions