Uid/gid in docker containers don't match the uid/gid on the server?

Dirk , 6 months ago

It’s actually a suggested configuration / best practice to NOT have container user IDs matching the host user IDs.

Ditch the idea of root and user in a docker container. For your containerized application use 10000:10001. You’ll have only one application and one “user” in the container anyways when doing it right.

To be even more on the secure side use a different random user ID and group ID for every container.

Appoxo , 6 months ago

Do I need to actually create the user in advance or can I just choose a string as I see fit?

thesmokingman , 6 months ago

This is really dependent on whether or not you want to interact with mounted volumes. In a production setting, containers are ephemeral and should essentially never be touched. Data is abstracted into stores like a database or object storage. If you’re interacting with mounted volumes, it’s usually through a different layer of abstraction like Kibana reading Elastic indices. In a self-hosted setting, you might be sidestepping dependency hell on a local system by containerizing. Data is often tightly coupled to the local filesystem. It is much easier to match the container user to the desired local user to avoid constant sudo calls.

I had to check the community before responding. Since we’re talking self-hosted, your advice is largely overkill.

Moonrise2473 OP , 6 months ago

checked .bash_history, looks like i installed docker in the new rootless mode

<span style="color:#323232;">wget get.docker.com
</span><span style="color:#323232;">ls
</span><span style="color:#323232;">mv index.html docker.sh
</span><span style="color:#323232;">chmod +x docker.sh
</span><span style="color:#323232;">./docker.sh
</span><span style="color:#323232;">dockerd-rootless-setuptool.sh install
</span><span style="color:#323232;">sudo dockerd-rootless-setuptool.sh install
</span><span style="color:#323232;">sudo apt install uidmap
</span><span style="color:#323232;">dockerd-rootless-setuptool.sh install
</span>

now i need to see how to restore it to work in the traditional way or i will become crazy with the permissions…

Moonrise2473 OP , 6 months ago

I fixed it:

for future reference:

• from docs.docker.com/engine/security/rootless/#uninsta…, run dockerd-rootless-setuptool.sh uninstall
• delete the user data (warning: i wasn’t using any docker volumes and i had no data to lose!!!) using the command that the previous script tells you
• add your user to the docker group and use the traditional “run docker as root” way: docs.docker.com/engine/…/linux-postinstall/#manag…

Atemu , 6 months ago

Why go through all of that complexity when you could just sudo apt install docker?

Moonrise2473 OP , 6 months ago

i don’t want to type sudo before each single docker command

Voroxpete , 6 months ago

You can do that with regular docker. Just add your user to the docker group.

(don’t forget to log out and log in again after adding new groups to your user)

twiked , 6 months ago

Niche use case, but you can also use newgrp to run commands with a recently-added group to your user, without having to logout/login yet.

cheet , 6 months ago

So add your user to the new docker group made on install of that package and you’ll be able to docker without sudo. You may need to relogin or newgrp docker before it works tho

hottari , 6 months ago

Looks like you are running rootless.

neidu2 , 6 months ago (edited 6 months ago)

I’m not very well versed on docker, but this sounds like a config issue. The behavior seems similar to “squash root” found in many other services.