How to manage users and groups when running Docker

Docker is a management tool that uses processes as its core to isolate system resources. Isolation is achieved through the cgroups (control groups) operating system kernel feature. This includes user parameter restrictions, account management, and isolation of resource (CPU, memory, disk I/O, network) usage. Docker can specify users and groups for processes in the container when it is running. If not specified, it defaults to root. However, due to isolation, security is not lost. Traditionally, specific applications are run as specific users, and the user or group to which the process in the container specifies the program does not need to be created in advance on the host.

Process control groups cgroups can mainly do the following things:

• Resource limit groups can be set to not exceed configured memory limits, which also includes the file system cache
• Prioritize certain groups to get a larger share of CPU utilization or disk I/O throughput
• Account accounting metrics group resource usage, for example, for billing purposes
• Controls freezing of group processes, checkpointing and restarting of processes

Related to cgroups (control process groups) is the concept of namespaces (command space).

There are six main types of name isolation in namespaces:

• The PID namespace provides isolation for the allocation of process identifiers (PIDs), the list of processes, and their details.
  

Although the new namespace is isolated from its peers, processes in its "parent" namespace still see all processes in the child namespace (albeit with different PID numbers).

• Network namespaces isolate network interface controllers (physical or virtual), iptables firewall rules, routing tables, etc. Network namespaces can be connected to each other using "veth" virtual Ethernet devices.
• The UTS namespace allows the hostname to be changed.
• The mount namespace allows creating different filesystem layouts, or making certain mount points read-only.
• IPC namespaces isolate System V inter-process communications through namespaces.
• User namespaces isolate user ids by namespace.

Ordinary user docker run root in container

For example, busybox can run software as root in a docker container. However, the docker container itself is still executed as a normal user.

Consider this situation

echo test | docker run -i busybox cat

The former is the current user's current system process, and the latter is transferred to the user and process in the container to run.

When running as PID 1 in a container, Linux will ignore the default behavior of the signal system and the process will not exit when it receives a SIGINT or SIGTERM signal unless your process is coded to do so. You can specify a stop signal via the Dockerfile STOPSIGNAL signal.

like:

STOPSIGNAL SIGKILL

Create a Dockerfile

FROM alpine:latest
RUN apk add --update htop && rm -rf /var/cache/apk/*
CMD ["htop"]

$ docker build -t myhtop . #Build image $ docker run -it --rm --pid=host myhtop #Run in the same namespace as the host process 

Ordinary user docker run specifies different users demo_user in the container

docker run --user=demo_user:group1 --group-add group2 <image_name> <command>

Here demo_user, group1 (primary group), and group2 (secondary group) are not the host's user and group, but are created when the container image is created.

When the running user is not specified through the USER instruction in the Dockerfile, the container will run the process as the root user.

How to specify a user in docker

Specify a user in the Dockerfile to run a specific command

USER <user>[:<group>] #or USER <UID>[:<GID>]

docker run -u(--user)[user:group] or --group-add parameter method

$ docker run busybox cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
...
www-data:x:33:33:www-data:/var/www:/bin/false
nobody:x:65534:65534:nobody:/home:/bin/false

$ docker run --user www-data busybox id
uid=33(www-data) gid=33(www-data)

Permissions of users in docker container

Compare the following situations, the files created by ordinary users in the host are mapped to the root user owner in the docker container:

$ mkdir test && touch test/a.txt && cd test
$ docker run --rm -it -v `pwd`:/mnt -w /mnt busybox /bin/sh -c 'ls -al /mnt/*' 
-rw-r--r-- 1 root root 0 Oct 22 15:36 /mnt/a.txt

The files created in the volume directory of the container correspond to the user currently executing Docker on the host:

$ docker run --rm -it -v `pwd`:/mnt -w /mnt busybox /bin/sh -c 'touch b.txt'
$ ls -al
-rw-r--r-- 1 xwx staff 0 10 22 23:36 a.txt
-rw-r--r-- 1 xwx staff 0 10 22 23:54 b.txt

Docker volume file access permissions

Create and use volumes. Docker does not support relative path mount points. Multiple containers can use the same volume at the same time.

$ docker volume create hello #Create volume hello

$ docker run -it --rm -v hello:/world -w /world busybox /bin/sh -c 'touch /world/a.txt && ls -al' #Total 8 files built into the container
drwxr-xr-x 2 root root 4096 Oct 22 16:38 .
drwxr-xr-x 1 root root 4096 Oct 22 16:38 ..
-rw-r--r-- 1 root root 0 Oct 22 16:38 a.txt

$ docker run -it --rm -v hello:/world -w /world busybox /bin/sh -c 'rm /world/a.txt && ls -al' #Delete total 8 from the container
drwxr-xr-x 2 root root 4096 Oct 22 16:38 .
drwxr-xr-x 1 root root 4096 Oct 22 16:38 ..

Create files externally and delete them as specified users in the container

$ touch c.txt && sudo chmod root:wheel c.txt
$ docker run -u 100 -it --rm -v `pwd`:/world -w /world busybox /bin/sh -c 'rm /world/c.txt && ls -al'

It can actually be deleted

rm: remove '/world/c.txt'? y
total 4
drwxr-xr-x 4 100 root 128 Oct 23 16:09 .
drwxr-xr-x 1 root root 4096 Oct 23 16:09 ..
-rw-r--r-- 1 100 root 0 Oct 22 15:36 a.txt
-rw-r--r-- 1 100 root 0 Oct 22 15:54 b.txt

Docker ordinary user's port permissions below 1024

 $ docker run -u 100 -it --rm -p 70:80 busybox /bin/sh -c 'nc -l -p 80'
nc: bind: Permission denied #When user id is 100, port 80 cannot be opened$ docker run -u 100 -it --rm -p 70:8800 busybox /bin/sh -c 'nc -l -p 8800' #When the container port is greater than 1024, you can...
 $ docker run -it --rm -p 70:80 busybox /bin/sh -c 'nc -l -p 80' #You can also use root in the container...

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.