Overview

As a root user one can access docker daemon which is not safe. For the security concern, non root users get limited access and run docker. This hands-on lab will elaborate how admin can manage docker for non root users with a demo.

Why does docker need non-root user access?

The main reasons for non root user access in docker are,

• Security: To create a secure application environment for containers docker needs non root user access.  docker run command runs the docker daemon to create a container. If containers run as a root user anyone can run any process, change UID, access the secrets and attack the docker daemon.    

• Support multiple platforms: Some Container orchestrators like OpenShift do not allow containers to run as root. Running kubernetes pods with root user is not recommended. Some containers are restricted for root user access. 

Prior Knowledge

Before moving further, one needs to know about

1. Users
2. Groups
3. Sudo

1) Users: Linux makes it possible for multiple persons to login at once and use the system independently. Linux system stores user information into /etc/passwd file. User Passwords stored in /etc/shadow file and encrypted with a one way hash function.

• Root user: When the system is installed it creates a root account with password protected and only the admin knows the password. Root user account has all the access as a superuser. It can access all the programs, files and resources on the system. The user id 0 gives the root user all the privileges. Admin can give custom names instead of root but some applications run with root user name only.

• Non root users: Non admin users, can run specific commands as per their roles and permissions given. Two types of Users in non root user category. Users with admin privileges and users with non admin privileges. 

• To get the name of current user

id

• To switch the user

su <username>

• To change the password of current login account

passwd

• To see users information

cat /etc/passwd

2) Groups: Collection of users is called group in Linux. With groups it becomes easy to manage and deal with multiple users at once especially in terms of permissions. There are two types of groups in linux: primary and secondary. Each user is a member of one primary group and up to 15 secondary groups. 

• To list all primary groups

groups

• The linux system stores all groups into /etc/group file.

cat /etc/group 

3) Sudo privilege: By adding the sudo prefix to any command in Linux, we can execute it as the superuser. Sudo is an acronym for "Super User Do" . Users who wish to use the sudo command must have a listing in the /etc/sudoers file. Edit this file with visudo. 

How To Run Docker Via Non-root User Login?

There are two ways to run a docker container as a non-root user. 

1) Configure Linux Machine to Run Docker As Non-Root User

Follow the steps given below to configure linux machine,

Step 1: Install docker.

• To Install docker for ubuntu distribution of linux as root user

apt update && apt install docker.io -y

• First check if the docker group is available or not

cat /etc/group | grep docker

As some Linux distributions provide a docker group with installation. If it is available skip step 2.

Step 2: Create a docker group.

sudo groupadd docker

Step 3: Add user to docker group. 

• To create a custom account named dev

adduser dev

• To add the existing dev user in docker group

sudo usermod -aG docker dev

                                                                                          OR

Create a new user account with primary and secondary groups, if the primary group with -g is not assigned it will automatically take the username as a primary group.

useradd -g <primary-grup> -G docker <user-name>

Step 4 : Check user availability.

cat /etc/group | grep docker

Step 5: Run docker command as a normal user. 

• To login as normal user

su dev

docker container run --name mycont -it nginx sh

2) Create User Account via Dockerfile

Attach a user with Dockerfile so whenever container run from the image created by dockerfile one gets user as an owner. 

Step 1: Create a Dockerfile.

• To write a Dockerfile

vim Dockerfile

Step 2: Build an Image.

• To build an image from the Dockerfile

sudo docker build -t pratikshahp/test:learn .

• To get the image list

docker image ls

Step 3: Create and run a container from the previous step image and verify user. 

• To create and run container and retrive user detail

sudo docker run --rm pratikshahp/test:learn id

                                                                                             OR                                  

• To create a container and run with the image created via Dockerfile

sudo docker run -it --name user_cont pratikshahp/test:learn sh

• To detach from the container

• To inspect the container to get who is the owner of a container

docker inspect $(docker ps -q) --format '{{.Config.User}} {{.Name}}'

Conclusion

I hope this hands-on lab will be helpful in a basic understanding of linux users, groups, and how to access Docker as a non-root user with examples. I’d love to hear comments from more people for betterment.