Containers, users, volumes and permissions

We have been creating a system of containers, including clients, Cassandra nodes, and using Fluentd for centralised logging. We use a vagrant for development, and have now transitions to using Ansible for provisioning.

If there is one aspect of docker which has caused us the most problems and for which we have been least able to find useful and detailed information on (which may just be our own fault), it is the interplay between containers, their users, bind mounted volumes and their permissions.

I hope the community can share it’s knowledge broadly around this subject, point to the best resources and explain the finer points.

Specific questions to get started:

  • Is there a default user that the docker deamon starts containers running as?
  • We noticed that some dockerfiles explicitly create and set permission for a given userID (see Cassandra), are there are best practices or conventions set for this?
  • Is there a consistent and general methodology for setting files permissions for mounted volumes and container users?

Specific issue we had:

  • Containers chomd’ing volumes as specific self-made users thus blocking host users running as non-root from file access.
  • Containers failing due to lacking permissions to write to shared volumes.
  • Trying to set the user for containers and receiving “Docker API Error: linux spec user: unable to find user some_user: no matching entries in passwd file”

The biggest thing I’ve noticed (and the biggest hang-up I’ve seen) is that permissions only deal in numeric user IDs. My having a user name of, say, dmaze is totally irrelevant; it only matters that a file is owned by uid 501, which may or may not have a name in the container’s /etc/passwd. On pure Linux the uid space is shared between all containers and the host system. (…right?)

0, which almost always has the name root.

“It’s a best practice to not run services as root.”

Usually when I’ve seen containers do this, they use something like the underlying distribution’s adduser script, always run with a fixed uid, and don’t take special care that the uids they pick are globally unique.

Not that I’ve encountered, no.

My general feel has been that Docker isn’t especially geared towards multi-user systems. I could be wrong there. It’s good for running system-global processes (like database servers), and things where the host user isn’t directly trying to consume its file output. If you’re deploying a server, it’s great, but in that case you don’t especially expect to really have multiple “users”.

If you run docker run -u dmaze or something along those lines, I think it requires the user name to be listed in the container’s /etc/passwd file.


Sorry if it isn’t the right place to put this question but I couldn’t find any better.
I’ve started using the mount on docker to have persistent data on my Windows 10 workstation.
When I try to submit the --mount option I get a popup in which I am required to provide user and password. Unfortunately the policies of my company dont afford to have this kind of access authorization but instead require the pin.
Is there any alternate way to provide this authorization to docker?

@enniodocker, I think Docker for Windows definitely requires sharing the host drive with full permission from its owner, whoever that may be. You may need to run Docker inside of a VM if your company allows that. Using Docker within a Linux system instead of Windows makes a lot of issues such as this easier (though it’s unfortunate to have the extra layer).