Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Difference between docker run --user and --group-add parameters

Tags:

docker

What is the difference between docker run parameters:

   -u, --user=""       Sets the username or UID used and optionally the groupname or GID for the specified command.     The followings examples are all valid:       --user [user | user:group | uid | uid:gid | user:gid | uid:group ]     Without this argument the command will be run as root in the container. 

and

   --group-add=[]       Add additional groups to run as 

?

like image 668
luka5z Avatar asked Dec 12 '16 11:12

luka5z


People also ask

What user should I run as in Docker?

The Docker daemon always runs as the root user. If you don't want to preface the docker command with sudo , create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

What is the difference between Docker run and exec?

Docker Run vs Docker Exec! This is a fairly common question – but has a simple answer! In short, docker run is the command you use to create a new container from an image, whilst docker exec lets you run commands on an already running container! Easy!

What is the difference between Docker and Run command?

RUN is an image build step, the state of the container after a RUN command will be committed to the container image. A Dockerfile can have many RUN steps that layer on top of one another to build the image. CMD is the command the container executes by default when you launch the built image.

What are the three main types of Docker components?

Docker follows Client-Server architecture, which includes the three main components that are Docker Client, Docker Host, and Docker Registry.


2 Answers

docker run --user=demo_user <image_name> <command> runs a container with the given command as demo_user enter image description here

docker run --user=demo_user:group1 <image_name> <command> runs a container with the given command as demo_user whose primary group is set to group1 enter image description here

docker run --user=demo_user:group1 --group-add group2 <image_name> <command> runs a container with the given command as demo_user whose primary group is set to group1 and group2 as secondary group of the user enter image description here

NOTE: users and groups used for these options MUST have been created in the image of which we are creating a container. If --group-add option alone is specified without --user and the image does NOT have any user declared(user should have been created but not declared via USER instruction in Dockerfile from which the image got created), group modifications happen to the root user in the container.

If --group-add option alone is specified without --user and the image does have the user declared( via USER instruction in Dockerfile from which the image got created), group modifications happen to the declared user in the container.

like image 80
Yuva Avatar answered Sep 26 '22 01:09

Yuva


When you create a Docker image, you can also create users and groups inside it. Those options allow you to connect as a specific user (-u) and with additional groups (--group-add).

In other words, when you execute a process in a Docker container, you do so as the provided user, and its groups (defined in the system). You can tell the system that the current user has addition groups by using the --group-add flag, for the process' lifetime.

Check out the documentation here: https://docs.docker.com/engine/reference/run/#/additional-groups

$ docker run --rm --group-add audio --group-add nogroup --group-add 777 busybox id uid=0(root) gid=0(root) groups=10(wheel),29(audio),99(nogroup),777 
like image 40
Alexandre FILLATRE Avatar answered Sep 26 '22 01:09

Alexandre FILLATRE