
Overview
As a root user one can access docker daemon which is not safe. For the security concern, non root users get limited access and run docker. This hands-on lab will elaborate how admin can manage docker for non root users with a demo.
Why does docker need non-root user access?
The main reasons for non root user access in docker are,
- Security: To create a secure application environment for containers docker needs non root user access. docker run command runs the docker daemon to create a container. If containers run as a root user anyone can run any process, change UID, access the secrets and attack the docker daemon.
- Support multiple platforms: Some Container orchestrators like OpenShift do not allow containers to run as root. Running kubernetes pods with root user is not recommended. Some containers are restricted for root user access.
Prior Knowledge
Before moving further, one needs to know about
- Users
- Groups
- Sudo
1) Users: Linux makes it possible for multiple persons to login at once and use the system independently. Linux system stores user information into /etc/passwd file. User Passwords stored in /etc/shadow file and encrypted with a one way hash function.
- Root user: When the
system is installed
it creates aroot account
with password protected and only the admin knows the password. Root user account has all the access as a superuser. It can access all the programs, files and resources on the system. The userid 0
gives the root user all the privileges. Admin can give custom names instead of root but some applications run with root user name only.
- Non root users: Non admin users, can run
specific commands
as per theirroles and permissions
given. Two types of Users in non root user category. Users with admin privileges and users with non admin privileges.
- To get the name of current user
id
- To switch the user
su <username>
- To change the password of current login account
passwd
- To see users information
cat /etc/passwd
2) Groups: Collection of users is called group in Linux. With groups it becomes easy to manage
and deal
with multiple users at once
especially in terms of permissions. There are two types of groups in linux: primary
and secondary
. Each user is a member of one primary group and up to 15 secondary groups.
- To list all primary groups
groups
- The linux system stores all
groups
into/etc/group
file.
cat /etc/group
3) Sudo privilege: By adding the sudo
prefix to any command in Linux, we can execute it as the superuser
. Sudo is an acronym for "Super User Do
" . Users who wish to use the sudo command must have a listing in the /etc/sudoers file. Edit this file with visudo
.
How To Run Docker Via Non-root User Login?
There are two ways to run a docker container as a non-root user.
1) Configure Linux Machine to Run Docker As Non-Root User
Follow the steps given below to configure linux machine,
Step 1: Install docker.
- To Install docker for ubuntu distribution of linux as root user
apt update && apt install docker.io -y
- First check if the docker group is available or not
cat /etc/group | grep docker

As some Linux distributions provide a docker group with installation. If it is available skip step 2.
Step 2: Create a docker group.
sudo groupadd docker
Step 3: Add user to docker group.
- To create a custom account named dev
adduser dev

- To add the existing dev user in docker group
sudo usermod -aG docker dev

OR
Create a new user account with primary and secondary groups, if the primary group with -g
is not assigned it will automatically take the username as a primary group.
useradd -g <primary-grup> -G docker <user-name>
Step 4 : Check user availability.
cat /etc/group | grep docker
Step 5: Run docker command as a normal user.
- To login as normal user
su dev

docker container run --name mycont -it nginx sh

2) Create User Account via Dockerfile
Attach a user with Dockerfile so whenever container run from the image created by dockerfile one gets user as an owner.
Step 1: Create a Dockerfile.
- To write a Dockerfile
vim Dockerfile
Step 2: Build an Image.
- To build an image from the Dockerfile
sudo docker build -t pratikshahp/test:learn .

- To get the image list
docker image ls

Step 3: Create and run a container from the previous step image and verify user.
- To create and run container and retrive user detail
sudo docker run --rm pratikshahp/test:learn id

OR
- To create a container and run with the image created via Dockerfile
sudo docker run -it --name user_cont pratikshahp/test:learn sh

- To detach from the container
- To inspect the container to get who is the owner of a container
docker inspect $(docker ps -q) --format '{{.Config.User}} {{.Name}}'

Conclusion
I hope this hands-on lab will be helpful in a basic understanding of linux users, groups, and how to access Docker as a non-root user with examples. I’d love to hear comments from more people for betterment.