What is the concept of user in Docker and how does permission work in volume?

Question

I can't understand the concept of user in Docker.

These are my questions:

1. Does each Docker container have its own users and groups or Docker containers use the host user management?

2. What is the --user parameter that we pass to the docker run command?

3. Is it possible for Docker container or Docker daemon to create user on host OS?

4. How does the ownership and file permission work in Docker volume?

For the 4th question imagine I have the following volume:

--volume /var/run/docker.sock:/var/run/docker.sock

And the result of the ls and id commands in host OS are as follow:

root@tashkhisi:/var/run# ls -l docker.sock
srw------- 1 root docker 0 Jul 30 18:44 docker.sock

root@novinhost:/var/run# id -u  root
0

Does it mean I can only access that file from within Docker container with user whose id is 0 inside Docker container?
I mean container see that file with original file permissions but with its own users?

Please, don't notice the /var/run/docker.sock file I just want to know how permission works.
I just used it because it is a common use case.

Answer 1

Yes, each container has its own set of users. If you look at the user IDs inside the container, you will find very large numbers (which is completely fine in Linux), which are individually created. Dockerd has a range of UIDs which it uses for that.

The --user option is just a shortcut for running su; it switches from the default of root to another user for the invocation of the first command inside the container.

You cannot normally create host users from inside the container (unless you hack your way out of the container, or doing weird stuff like mounting the /etc of the host into the container... which is probably not what you're asking about); and the daemon (which itself is not containerized, of course) does not do it either.

For your final question: mounting host volumes generally leads to permission issues - if you, for example, create files inside the container, they will end up with the large UIDs on the host side (i.e., the temporary UIDs I mentioned above). In your case, only root has access to that file per default. You'll need to chown as appropriate. You can run docker run --user uid:group and thus override the temporary UIDs/GIDs which dockerd normally creates for you.

But your specific question seems to be about something called "docker in docker" or "dind", where you run docker commands from inside a docker container by mounting the host docker socket into the container. Please google for that or ask more specific questions. There should be plenty of tutorials etc. out there.

Also, a final hint: it is possible to run the docker demon itself as a non-root user. For this I would also reference you to google or the Docker documentation since you're not asking about it so far and things will get quite convoluted if you go that route...

Answer 2

Does each docker container have its own users and groups

Yes.

docker containers uses the host user management?

No.

What is the --user parameter that we pass to docker run command?

The documentation for docker run --user is short, I wil paraphrase documentation for Dockerfile USER command:

root (id = 0) is the default user within a container. The image developer can create additional users. Those users are accessible by name. The developer can choose a user to run the first process with the --user command line option.

Is it possible for docker container or docker daemon to create user on host OS?

You can start sshd on your host, login from docker container to host via ssh and do would normally do.

---

The word "user management" is a big word for a linux world. It's simple - list of users and groups is stored in few flles like /etc/passwd /etc/shadow /etc/groups. These are files stored in text format, no magic. When you add a line to /etc/passwd you have a new user. When you remove a line with any text editor from /etc/passwd, then you just removed an user. A docker container has separate filesystem, so it has separate /etc/ directory, so it has separate these files, so it has separate users and groups.

---

How does the ownership and file permission work in docker volume?

There is no differences. There is no point in explaining here how *unix user-group-other permission model works, refer to endless net resources...

Does it mean I can only access that file from within docker container with user whose id is 0 inside docker container?

Yes - the permissions are rw-------...

I mean container see that file with original file permissions but with its own users?

Yes.

--volume option is just a mount -o bind.