Docker user

Andrei Kopylov , our technical director, loves, actively uses and promotes Docker. In the new article, he explains how to create users in Docker. Correct work with them, why users cannot be left with root rights and how to solve the problem of mismatch of identifiers in the Dockerfile.

All processes in the container will work as root, unless you specify it in a special way. This seems very convenient, because this user has no restrictions. That is why working under the root is wrong in terms of security. If no one in their right mind works with root rights on the local computer, then many start processes under the root in containers.

There are always bugs that will allow the malware to get out of the container and get to the host computer. Assuming the worst, we must ensure that the processes inside the container are started from the user who does not have any rights on the host machine.

Create user

Creating a user in a container is no different from creating it in Linux distributions. However, teams may differ for different basic images.

For debian-based distributions in Dockerfile, you need to add:

RUN groupadd --gid 2000 node \ && useradd --uid 2000 --gid node --shell /bin/bash --create-home node 

For alpine:

 RUN addgroup -g 2000 node \ && adduser -u 2000 -G node -s /bin/sh -D node 

Run processes from user

To start all subsequent processes from a user with UID 2000, run:

 USER 2000 

To run all subsequent processes from the node user, run:

 USER node 

Read more in the documentation .

Mounting volumes

When mounting volumes inside a container, ensure that the user can read and / or write files. For this, the UID (GID) of the user in the container and the user outside the container that has the appropriate rights to access the file must match. At the same time, user names do not matter.

Often on a Linux computer, the user has a UID and GID of 1000. These identifiers are assigned to the first user of the computer.

Finding your IDs is simple:

 id 

You will receive comprehensive information about your user.
Replace 2000 of the examples with your ID and everything will be fine.

Assign user UID and GID

If the user is created earlier, but you need to change the identifiers, you can do it like this:

 RUN usermod -u 1000 node \ && groupmod -g 1000 node 

If you are using the base alpine image, then you need to install the shadow package:

 RUN apk add —no-cache shadow 

Passing the user ID inside the container when building the image

If your identifier and the identifiers of all people who work on the project are the same, then it is enough to indicate this identifier in the Dockerfile. However, user IDs often do not match.

How to implement the desired is not immediately clear. For me it was the most difficult in the process of mastering docker. Many docker users do not think that there are different stages in the life of the image. At first the image is collected for this purpose using Dockerfile. When starting the container from the Dockerfile image, it is no longer used.

Creation of users should occur when building an image. The same applies to the definition of the user from which the processes are started. This means that we somehow have to pass a UID (GID) inside the container.

To use external variables in Dockerfile, the directives ENV and ARG are used . Detailed comparison of directives here .

Dockerfile

 ARG UID=1000 ARG GID=1000 ENV UID=${UID} ENV GID=${GID} RUN usermod -u $UID node \ && groupmod -g $GID node 

You can pass arguments through docker-compose like this:

docker-compose

 build: context: ./src/backend args: UID: 1000 GID: 1000 

PS To master all the wisdom of docker, it’s not enough to read documentation or articles. You need to practice a lot, you need to feel the docker.