Overview

As a root user, one can run all the docker commands by connecting to its Daemon; without any restrictions. But we can not give root access to everyone on the system as it is unsafe. 

So we need to figure out ways to give docker access to non-root users. This is what we will explore in this lab. Along with this, we'll see how we can run programs as non-root users, inside the containers we create. 

Prior Knowledge

Before moving further, one needs to know about users, group and sudo access inside Linux. 

Users

Linux makes it possible for multiple users to login at once and use the system independently. Linux system stores user information into /etc/passwd file. User Passwords are stored in /etc/shadow file and encrypted with a one way hash function.

• Root user: When the system is installed it creates a root account with password protected and only the admin knows the password. Root user account has all the access as a superuser. It can access all the programs, files and resources on the system. The user id 0 gives the root user all the privileges. Admin can give custom names instead of root but some applications run with root user name only.

• Non-root users: Non-admin users, can run onlyspecific set of commands as per their roles and permissions given. Two types of Users in non-root user category. Users with admin privileges and users with non-admin privileges. 

• To get the name of current user

id

• To switch the user

su - <username>

• To change the password of current login account

passwd

• To see users information

cat /etc/passwd

Groups

The collection of users is called group in Linux. With groups, it becomes easy to manage and deal with multiple users at once, especially in terms of permissions. There are two types of groups in Linux: primary and secondary. Each user is a member of one primary group and up to 15 secondary groups. 

• To list all primary groups

groups

• The linux system stores all groups into /etc/group file.

cat /etc/group

sudo Access

sudo is an acronym for Super User Do . By giving sudo access to any user we can control what all commands a user can run in the privileged mode. The user needs to run the commands with the sudo prefix, if he/she wants to run as superuser, like the following:-

sudo apt update 

To add sudo access we need to update the /etc/sudoers file, which we can do with visudo command. If we want we can give permission, equivalent to the root user. 

You can know more about sudo from here. 

How To Run Docker Via Non-root User Login?

There are two ways to run docker commands as a non-root user. One is by giving sudo access to normal users, which we already covered earlier. The other way is to add normal users to the docker group, which we'll explore now. Please follow the steps below :-

Step 1: Install docker.

• To Install docker for ubuntu distribution of linux as root user

apt update && apt install docker.io -y

• First check if the docker group is available or not

cat /etc/group | grep docker

As some Linux distributions provide a docker group with installation. If it is available skip step 2.

Step 2: Create a docker group.

sudo groupadd docker

Step 3: Add user to docker group. 

• To create a custom account named dev

adduser dev

• To add the existing dev user in docker group

sudo usermod -aG docker dev

                                                                                          OR

Create a new user account with primary and secondary groups, if the primary group with -g is not assigned it will automatically take the username as a primary group.

useradd -g <primary-grup> -G docker <user-name>

Step 4 : Check user availability.

cat /etc/group | grep docker

Step 5: Run docker command as a normal user. 

• To login as normal user

su - dev

• Now, Let's try to run some commands in container created by non-root user.

docker container run --name mycont -it nginx sh

While we are here, let us also see how we can run programs as non-root users, inside the containers we create.

Running Programs as non-root user, inside the Container

Generally, if you run a container and check the user id or group id, it is set to 0; which means that we are running the program as the admin user, in the context of the container. 

docker run --rm alpine id

This is not a good practice.  One way is to fix it by providing the uid/gid, while running the containers like following :-

docker run --rm -u 1001:1001 alpine id

But this may cause problems to the programs which we are not configured to run as non-root users, inside the containers; unless we do so. So a better approach is to configure the default user/group and the program accordingly inside the Dockerfile. Let's see an example of the same. 

Step 1: Create a Dockerfile.

• To write a Dockerfile

vim Dockerfile

Step 2: Build an Image.

• To build an image from the Dockerfile

docker build -t cloudyuga/test:learn .

docker image ls

Step 3: Create and run a container from the previous step image 

• To create and run container and retrive user detail

docker run --rm -d --name testc cloudyuga/test:learn

Step 4: Verify the user and ownership of the program running inside the container

docker exec testc id 

docker exec testc ps aux 

We can see the uid and gid are set to 1001 and the sleep program runs with the user testuser.  Also if we inspect the container we'll see the user is set to testuser. 

docker inspect testc --format '{{.Config.User}} {{.Name}}'

Conclusion

So in this hands-on lab, we have seen how we can run Docker commands as a non-root user. We also covered how we can run programs as non-root users, inside the containers.