Overview
As a root user, one can run all the docker commands by connecting to its Daemon; without any restrictions. But we can not give root access to everyone on the system as it is unsafe.
So we need to figure out ways to give docker access to non-root users. This is what we will explore in this lab. Along with this, we’ll see how we can run programs as non-root users, inside the containers we create.
Prior Knowledge
Before moving further, one needs to know about users, group and sudo access inside Linux.
Users
Linux makes it possible for multiple users to login at once and use the system independently. Linux system stores user information into /etc/passwd file. User Passwords are stored in /etc/shadow file and encrypted with a one way hash function.
- Root user: When the system is installed it creates a root account with password protected and only the admin knows the password. Root user account has all the access as a superuser. It can access all the programs, files and resources on the system. The user id 0 gives the root user all the privileges. Admin can give custom names instead of root but some applications run with root user name only.
- Non-root users: Non-admin users, can run only specific set of commands as per their roles and permissions given. Two types of Users in non-root user category. Users with admin privileges and users with non-admin privileges.
- To get the name of current user
id
- To switch the user
su - <username>
- To change the password of current login account
passwd
- To see users information
cat /etc/passwd
Groups
The collection of users is called group in Linux. With groups, it becomes easy to manage and deal with multiple users at once, especially in terms of permissions. There are two types of groups in Linux: primary and secondary. Each user is a member of one primary group and up to 15 secondary groups.
- To list all primary groups
groups
- The Linux system stores all groups into /etc/group file.
cat /etc/group
sudo Access
sudo is an acronym for Super User Do . By giving sudo access to any user we can control what all commands a user can run in the privileged mode. The user needs to run the commands with the sudo prefix, if he/she wants to run as superuser, like the following:-
sudo apt update
To add sudo access we need to update the /etc/sudoers file, which we can do with visudo command. If we want we can give permission, equivalent to the root user.
<username> ALL=(ALL:ALL) ALL
You can know more about sudo from here.
Prerequisite
Hands-on involvement is essential to convert theoretical knowledge into practical skills. We will do the experiment on your local Linux machine. If you are using windows or MacOS, You can install Linux on top of VM.
How To Run Docker Via Non-root User Login?
There are two ways to run docker commands as a non-root user. One is by giving sudo access to normal users, which we already covered earlier. The other way is to add normal users to the docker group, which we’ll explore now. Please follow the steps below :-
Step 1: Install docker.
- To Install docker for ubuntu distribution of Linux as root user
apt update && apt install docker.io -y
- First check if the docker group is available or not
cat /etc/group | grep docker
Figure 1: print docker group if available
As some Linux distributions provide a docker group with installation. If it is available skip step 2.
Step 2: Create a docker group.
sudo groupadd docker
Step 3: Add user to docker group.
- To create a custom account named dev
adduser dev
Figure 2: partial output of adding user
- To add the existing dev user in docker group
sudo usermod -aG docker dev
OR
Create a new user account with primary and secondary groups, if the primary group with -g is not assigned it will automatically take the username as a primary group.
useradd -g <primary-grup> -G docker <user-name>
Step 4 : Check user availability.
cat /etc/group | grep docker
Figure 3: Add user in docker group and verify
Step 5: Run docker command as a normal user.
- To login as normal user
su - dev
- Now, Let’s try to run some commands in container created by non-root user.
docker container run --name mycont -it nginx sh
Figure 5: create and run container with non-root user
While we are here, let us also see how we can run programs as non-root users, inside the containers we create.
Running Programs as non-root user, inside the Container
Generally, if you run a container and check the user id or group id, it is set to 0; which means that we are running the program as the admin user, in the context of the container.
docker run --rm alpine id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
This is not a good practice. One way is to fix it by providing the uid/gid, while running the containers like following :-
docker run --rm -u 1001:1001 alpine id
uid=1001 gid=1001 groups=1001
But this may cause problems to the programs which we are not configured to run as non-root users, inside the containers; unless we do so. So a better approach is to configure the default user/group and the program accordingly inside the Dockerfile. Let’s see an example of the same.
Step 1: Create a Dockerfile.
- To write a Dockerfile
vim Dockerfile
FROM centos:7 RUN useradd -u 1001 testuser USER testuser CMD ["/bin/sleep", "200"]
Step 2: Build an Image.
- To build an image from the Dockerfile
docker build -t cloudyuga/test:learn .
docker image ls
Step 3: Create and run a container from the previous step image
- To create and run container and retrive user detail
docker run --rm -d --name testc cloudyuga/test:learn
Step 4: Verify the user and ownership of the program running inside the container
docker exec testc id
docker exec testc ps aux
We can see the uid and gid are set to 1001 and the sleep program runs with the user testuser. Also if we inspect the container we’ll see the user is set to testuser.
docker inspect testc --format '{{.Config.User}} {{.Name}}'Note: container name is added with username.
Conclusion
So in this hands-on lab, we have seen how we can run Docker commands as a non-root user. We also covered how we can run programs as non-root users, inside the containers.
