Manage Docker As Non-Root User

Manage Docker As Non-Root User

26 May 2023
Container
docker
non-root

The way to secure docker daemon with non-root user

Overview

As a root user one can access docker daemon which is not safe. For the security concern, non root users get limited access and run docker. This hands-on lab will elaborate how admin can manage docker for non root users with a demo.

Why does docker need non-root user access?

The main reasons for non root user access in docker are,

  • Security: To create a secure application environment for containers docker needs non root user access.  docker run command runs the docker daemon to create a container. If containers run as a root user anyone can run any process, change UID, access the secrets and attack the docker daemon.    
  • Support multiple platforms: Some Container orchestrators like OpenShift do not allow containers to run as root. Running kubernetes pods with root user is not recommended. Some containers are restricted for root user access. 

Prior Knowledge

Before moving further, one needs to know about

  1. Users
  2. Groups
  3. Sudo

1) Users: Linux makes it possible for multiple persons to login at once and use the system independently. Linux system stores user information into /etc/passwd file. User Passwords stored in /etc/shadow file and encrypted with a one way hash function.

  • Root user: When the system is installed it creates a root account with password protected and only the admin knows the password. Root user account has all the access as a superuser. It can access all the programs, files and resources on the system. The user id 0 gives the root user all the privileges. Admin can give custom names instead of root but some applications run with root user name only.
  • Non root users: Non admin users, can run specific commands as per their roles and permissions given. Two types of Users in non root user category. Users with admin privileges and users with non admin privileges. 
  • To get the name of current user
id
  • To switch the user
su <username>
  • To change the password of current login account
passwd
  • To see users information
cat /etc/passwd

2) Groups: Collection of users is called group in Linux. With groups it becomes easy to manage and deal with multiple users at once especially in terms of permissions. There are two types of groups in linux: primary and secondary. Each user is a member of one primary group and up to 15 secondary groups. 

  • To list all primary groups
groups
  • The linux system stores all groups into /etc/group file.
cat /etc/group 

3) Sudo privilege: By adding the sudo prefix to any command in Linux, we can execute it as the superuser. Sudo is an acronym for "Super User Do" . Users who wish to use the sudo command must have a listing in the /etc/sudoers file. Edit this file with visudo

How To Run Docker Via Non-root User Login?

There are two ways to run a docker container as a non-root user. 

1) Configure Linux Machine to Run Docker As Non-Root User

Follow the steps given below to configure linux machine,

Step 1: Install docker.

  • To Install docker for ubuntu distribution of linux as root user
apt update && apt install docker.io -y
  • First check if the docker group is available or not
cat /etc/group | grep docker
Figure 1: print docker group if available
Figure 1: print docker group if available

As some Linux distributions provide a docker group with installation. If it is available skip step 2.

Step 2: Create a docker group.

sudo groupadd docker

Step 3: Add user to docker group. 

  • To create a custom account named dev
adduser dev
Figure 2: partial output of adding user
Figure 2: partial output of adding user
  • To add the existing dev user in docker group
sudo usermod -aG docker dev
Figure 3: Add user in docker group and verify
Figure 3: Add user in docker group and verify

                                                                                          OR

Create a new user account with primary and secondary groups, if the primary group with -g is not assigned it will automatically take the username as a primary group.

useradd -g <primary-grup> -G docker <user-name>

Step 4 : Check user availability.

cat /etc/group | grep docker

Step 5: Run docker command as a normal user. 

  • To login as normal user
su dev
Figure 4: Switch user
Figure 4: Switch user
docker container run --name mycont -it nginx sh
Figure 5: create and run container with non-root user
Figure 5: create and run container with non-root user

2) Create User Account via Dockerfile

Attach a user with Dockerfile so whenever container run from the image created by dockerfile one gets user as an owner. 

Step 1: Create a Dockerfile.

  • To write a Dockerfile
vim Dockerfile

Step 2: Build an Image.

  • To build an image from the Dockerfile
sudo docker build -t pratikshahp/test:learn .
Figure 6: Partial output of building an image&nbsp;
Figure 6: Partial output of building an image&nbsp;
  • To get the image list
docker image ls
Figure 7: Image list
Figure 7: Image list

Step 3: Create and run a container from the previous step image and verify user. 

  • To create and run container and retrive user detail
sudo docker run --rm pratikshahp/test:learn id
Figure 8: Verify container owner
Figure 8: Verify container owner

                                                                                             OR                                  

  • To create a container and run with the image created via Dockerfile
sudo docker run -it --name user_cont pratikshahp/test:learn sh
Figure 9: Create and run container
Figure 9: Create and run container
  • To detach from the container
  • To inspect the container to get who is the owner of a container
docker inspect $(docker ps -q) --format '{{.Config.User}} {{.Name}}'
Figure 10: Inspect container to get owner
Figure 10: Inspect container to get owner
Note: container name is added with username.

Conclusion

I hope this hands-on lab will be helpful in a basic understanding of linux users, groups, and how to access Docker as a non-root user with examples. I’d love to hear comments from more people for betterment.

How likely are you going to recommend this lab to your friends or colleagues?

Unlikely
Likely

Leave a comment:

About the Authors

Pratiksha Patel

Pratiksha Patel

Pratiksha is a former Assistant Professor, Enthusiastic learner of Cloud and DevOps. She has recently completed her Cloud Engineer Bootcamp at CloudYuga.

Oshi Gupta

Oshi Gupta

DevOps Engineer & Technical Writer, CloudYuga

Oshi Gupta works as a DevOps Engineer and Technical Writer at CloudYuga Technologies. She is a CKA certified and has been selected for LFX mentorship in Spring 2022 for CNCF Kyverno. She loves writing blogs and is keen to learn about various cloud-native technologies. Besides this, she loves cooking, badminton, traveling, and yoga.