This has probably been hashed over a thousand times, but I’ve got some confusion over the user that processes run as in containers (and how that shows on the host).
I’ve read this great article that explains why a process will show as running as different users, depending on if you’re viewing the process list inside the container vs. on the host, and it makes sense why it happens.
An example is the best. I’ve got an Ubuntu 16.04 box (running on EC2) and I’m pulling in and running redis in a container…specifically the
3.2.11-alpine image. It’s working great, including a mounted volume for persistence.
The Dockerfile for that image creates a “redis” user and group in the container. When I look at the process list on the host, redis-server shows as running as user “systemd-timesync”, which has a UID of 100 in /etc/passwd. This makes sense, as the redis user that’s been created in the container has an UID of 100.
Now, the confusion for me is around security and other potential issues that may arise with having the redis-server process running as the “systemd-timesync” user. Is there a security concern here, having a container process run as a different privileged user on the host? I thought specifying the
-u <user> parameter on the command-line would allow me to specify the actual user (on the host) I wanted it to run as, but it ends up that that’s not the case.
-u means specifying a container user, not a host user.
If someone could shed a bit of light on that, that’s be awesome.