Overview
As a root user
, one can run all the docker
commands by connecting to its Daemon;
without any restrictions. But we can not give root access to everyone on the system as it is unsafe.
So we need to figure out ways to give docker
access to non-root
users. This is what we will explore in this lab. Along with this, we'll see how we can run programs as non-root users, inside the containers we create.
Prior Knowledge
Before moving further, one needs to know about users
, group
and sudo
access inside Linux.
Users
Linux makes it possible for multiple users
to login at once and use the system independently. Linux system stores user information into /etc/passwd file. User Passwords are stored in /etc/shadow file and encrypted with a one way hash function.
- Root user: When the
system is installed
it creates aroot account
with password protected and only the admin knows the password. Root user account has all the access as a superuser. It can access all the programs, files and resources on the system. The userid 0
gives the root user all the privileges. Admin can give custom names instead of root but some applications run with root user name only.
- Non-root users: Non-admin users, can run only
specific set of commands
as per theirroles and permissions
given. Two types of Users in non-root user category. Users with admin privileges and users with non-admin privileges.
- To get the name of current user
id
- To switch the user
su - <username>
- To change the password of current login account
passwd
- To see users information
cat /etc/passwd
Groups
The collection of users is called group
in Linux. With groups, it becomes easy to manage and deal with multiple users at once, especially in terms of permissions. There are two types of groups in Linux: primary
and secondary
. Each user is a member of one primary group and up to 15 secondary groups.
- To list all primary groups
groups
- The linux system stores all
groups
into/etc/group
file.
cat /etc/group
sudo Access
sudo
is an acronym for Super User Do
. By giving sudo access to any user we can control what all commands a user can run in the privileged mode. The user needs to run the commands with the sudo
prefix, if he/she wants to run as superuser
, like the following:-
sudo apt update
To add sudo access we need to update the /etc/sudoers
file, which we can do with visudo
command. If we want we can give permission, equivalent to the root
user.
You can know more about sudo
from here.
How To Run Docker Via Non-root User Login?
There are two ways to run docker
commands as a non-root user. One is by giving sudo
access to normal users, which we already covered earlier. The other way is to add normal users to the docker
group, which we'll explore now. Please follow the steps below :-
Step 1: Install docker.
- To Install docker for ubuntu distribution of linux as root user
apt update && apt install docker.io -y
- First check if the docker group is available or not
cat /etc/group | grep docker

As some Linux distributions provide a docker group with installation. If it is available skip step 2.
Step 2: Create a docker group.
sudo groupadd docker
Step 3: Add user to docker group.
- To create a custom account named
dev
adduser dev

- To add the existing dev user in docker group
sudo usermod -aG docker dev
OR
Create a new user account with primary and secondary groups, if the primary group with -g
is not assigned it will automatically take the username as a primary group.
useradd -g <primary-grup> -G docker <user-name>
Step 4 : Check user availability.
cat /etc/group | grep docker

Step 5: Run docker command as a normal user.
- To login as normal user
su - dev
- Now, Let's try to run some commands in container created by non-root user.
docker container run --name mycont -it nginx sh

While we are here, let us also see how we can run programs as non-root users, inside the containers we create.
Running Programs as non-root user, inside the Container
Generally, if you run a container and check the user id
or group id
, it is set to 0;
which means that we are running the program as the admin user, in the context of the container.
docker run --rm alpine id
This is not a good practice. One way is to fix it by providing the uid/gid, while running the containers like following :-
docker run --rm -u 1001:1001 alpine id
But this may cause problems to the programs which we are not configured to run as non-root users, inside the containers; unless we do so. So a better approach is to configure the default user/group and the program accordingly inside the Dockerfile. Let's see an example of the same.
Step 1: Create a Dockerfile.
- To write a Dockerfile
vim Dockerfile
Step 2: Build an Image.
- To build an image from the Dockerfile
docker build -t cloudyuga/test:learn .
docker image ls
Step 3: Create and run a container from the previous step image
- To create and run container and retrive user detail
docker run --rm -d --name testc cloudyuga/test:learn
Step 4: Verify the user and ownership of the program running inside the container
docker exec testc id
docker exec testc ps aux
We can see the uid
and gid
are set to 1001
and the sleep
program runs with the user testuser
. Also if we inspect
the container we'll see the user
is set to testuser
.
docker inspect testc --format '{{.Config.User}} {{.Name}}'
Conclusion
So in this hands-on lab, we have seen how we can run Docker commands as a non-root user. We also covered how we can run programs as non-root users, inside the containers.