Even after going through lot of materials and SO answers still I'm not clear on docker uid/user usage or implementation. I understand the below points: <ol> <li>An instance of an image is called a container.</li> <li>uid/gid is maintained by the underlying kernel, not by Container.</li> <li>Kernel understand uid/gid number not username/groupname and name is an alias and just for human readable.</li> <li>All containers are processes maintained by docker daemon and will be visible as process in host machine (ps -ef)</li> <li>root (id = 0) is the default user within a container and this can be changed either by USER instruction in Dockerfile or by passing -u flag in docker run</li> </ol> With the above all said, when I have the below command in my Dockerfile, I presume that a new user (<code>my-user</code>) will be created with incremented uid. <pre class="prettyprint"><code>RUN addgroup my-group && adduser -D my-user -G my-group </code></pre> <ul> <li>What happens if I run the same image multiple times i.e multiple containers? Will the same <code>uid</code> be assigned to all processes?</li> <li>What happens if I add same above command in another image and run that image as container? - will I get new <code>uid</code> or same <code>uid</code> as the previous one?</li> <li>How the <code>uid</code> increment happens in Container in relation with the host machine.</li> </ul> Any pointers would be helpful.

Absent user namespace remapping, there are only two things that matter: <ol> <li>What the numeric user ID is; and</li> <li>What's in the <code>/etc/passwd</code> file.</li> </ol> Remember that each container and the host have separate filesystems, so each of these things could have separate <code>/etc/passwd</code> files. <blockquote> What happens if I run the same image multiple times i.e multiple containers? Will the same uid be assigned to all processes? </blockquote> Yes, because each container gets a copy of the same <code>/etc/passwd</code> file from the image. <blockquote> What happens if I add same above command in another image and run that image as container? - will I get new uid or same uid as the previous one? </blockquote> It depends on what <code>adduser</code> actually does; it could be the same or different. <blockquote> How the uid increment happens in Container in relation with the host machine. </blockquote> They're completely and totally independent. Also remember that you can <code>docker push</code>/<code>docker pull</code> a built image to run it on a different host. That will bring the image's <code>/etc/passwd</code> file along with it, but the host environment could be totally different. Correspondingly, it's not a best practice to try to match some specific host's uid mapping in a Dockerfile, because it will be wrong if you try to run the same image anywhere else.

Understanding Docker user/uid creation

Tags:

docker

dockerfile

containers

Even after going through lot of materials and SO answers still I'm not clear on docker uid/user usage or implementation.

I understand the below points:

An instance of an image is called a container.
uid/gid is maintained by the underlying kernel, not by Container.
Kernel understand uid/gid number not username/groupname and name is an alias and just for human readable.
All containers are processes maintained by docker daemon and will be visible as process in host machine (ps -ef)
root (id = 0) is the default user within a container and this can be changed either by USER instruction in Dockerfile or by passing -u flag in docker run

With the above all said, when I have the below command in my Dockerfile, I presume that a new user (my-user) will be created with incremented uid.

RUN addgroup my-group && adduser -D my-user -G my-group

What happens if I run the same image multiple times i.e multiple containers? Will the same uid be assigned to all processes?
What happens if I add same above command in another image and run that image as container? - will I get new uid or same uid as the previous one?
How the uid increment happens in Container in relation with the host machine.

Any pointers would be helpful.

813

asked Apr 09 '19 04:04

Haran

1 Answers

Absent user namespace remapping, there are only two things that matter:

What the numeric user ID is; and
What's in the /etc/passwd file.

Remember that each container and the host have separate filesystems, so each of these things could have separate /etc/passwd files.

What happens if I run the same image multiple times i.e multiple containers? Will the same uid be assigned to all processes?

Yes, because each container gets a copy of the same /etc/passwd file from the image.

What happens if I add same above command in another image and run that image as container? - will I get new uid or same uid as the previous one?

It depends on what adduser actually does; it could be the same or different.

How the uid increment happens in Container in relation with the host machine.

They're completely and totally independent.

Also remember that you can docker push/docker pull a built image to run it on a different host. That will bring the image's /etc/passwd file along with it, but the host environment could be totally different. Correspondingly, it's not a best practice to try to match some specific host's uid mapping in a Dockerfile, because it will be wrong if you try to run the same image anywhere else.

answered Oct 02 '22 11:10

David Maze

Related questions
                            
                                Why is my Docker Symfony project consuming so much memory?
                            
                                Creating complex object from key/value pairs
                            
                                Docker: How to start an existing container and forward the ports?
                            
                                flyway unable to connect to postgres container within docker-entrypoint-initdb.d script
                            
                                Accessing Files on a Windows Docker Container Easily
                            
                                Scaling chat log workers horizontally
                            
                                testing local subdomain with nginx and docker
                            
                                Run "apereo/cas" docker image prints "Failed to start connector" error
                            
                                How to start intermediate ca using docker-compose?
                            
                                Docker automatically rerun npm install on package.json change
                            
                                unable to install the asp.net core development certificate tool (dev-certs)
                            
                                Docker compose wait for database service initialisation
                            
                                Laravel with Docker issue connecting MySQL
                            
                                Add a particular version of R to a docker container
                            
                                AspNetCore.WsFederation get signin-wsfed redirect to HTTP when original request is HTTPS
                            
                                dotnet build with version is not working in docker
                            
                                Pycharm - Type hints are not installed
                            
                                Why elastic-search container memory usage keeps increasing with little use?
                            
                                Create new django project in pycharm: "Remote path not provided"
                            
                                How to start CosmosDB emulator with docker-compose?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With