What is the difference between docker run
parameters:
-u, --user="" Sets the username or UID used and optionally the groupname or GID for the specified command. The followings examples are all valid: --user [user | user:group | uid | uid:gid | user:gid | uid:group ] Without this argument the command will be run as root in the container.
and
--group-add=[] Add additional groups to run as
?
The Docker daemon always runs as the root user. If you don't want to preface the docker command with sudo , create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.
Docker Run vs Docker Exec! This is a fairly common question – but has a simple answer! In short, docker run is the command you use to create a new container from an image, whilst docker exec lets you run commands on an already running container! Easy!
RUN is an image build step, the state of the container after a RUN command will be committed to the container image. A Dockerfile can have many RUN steps that layer on top of one another to build the image. CMD is the command the container executes by default when you launch the built image.
Docker follows Client-Server architecture, which includes the three main components that are Docker Client, Docker Host, and Docker Registry.
docker run --user=demo_user <image_name> <command>
runs a container with the given command as demo_user
docker run --user=demo_user:group1 <image_name> <command>
runs a container with the given command as demo_user whose primary group is set to group1
docker run --user=demo_user:group1 --group-add group2 <image_name> <command>
runs a container with the given command as demo_user whose primary group is set to group1 and group2 as secondary group of the user
NOTE: users and groups used for these options MUST have been created in the image of which we are creating a container. If --group-add
option alone is specified without --user
and the image does NOT have any user declared(user should have been created but not declared via USER instruction in Dockerfile from which the image got created), group modifications happen to the root
user in the container.
If --group-add
option alone is specified without --user
and the image does have the user declared( via USER instruction in Dockerfile from which the image got created), group modifications happen to the declared user in the container.
When you create a Docker image, you can also create users and groups inside it. Those options allow you to connect as a specific user (-u
) and with additional groups (--group-add
).
In other words, when you execute a process in a Docker container, you do so as the provided user, and its groups (defined in the system). You can tell the system that the current user has addition groups by using the --group-add
flag, for the process' lifetime.
Check out the documentation here: https://docs.docker.com/engine/reference/run/#/additional-groups
$ docker run --rm --group-add audio --group-add nogroup --group-add 777 busybox id uid=0(root) gid=0(root) groups=10(wheel),29(audio),99(nogroup),777
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With