Docker Community Forums

Share and learn in the Docker community.

Docker is running container as _apt user

Hey,
I’m on Debian 11 (Bullseye) and I installed Docker to run an app (GitHub - ngoduykhanh/PowerDNS-Admin: A PowerDNS web interface with advanced features). For some reason, when I run it, it’s being run as the _apt user. I’m not sure why that’s happening. The Docker daemon and other core Docker processes are still run as root.

I don’t think it runs as _apt. On Debian 11 the _apt user’s ID is 100. The alpine Docker image doesn’t have any user with this id. When it creates a new system user with the following instructions:

adduser -S -D -G ${USER} ${USER}

It assigns 100 as user id to the “pda” user.

When the container runs the process inside the container is executed as pda, which has the ID 100, and you see it from the host’s point of view as “_apt” which has the same id.

On Linux a user is essentially an ID and /etc/passwd maps the ID and the username. But this file can be different in each container.

Here is the link to above instruction in the Dockerfile on Github:

1 Like

Ah, I understand. Thank you.

About this though, I have some questions.

  1. Why does it show up as though it’s being run as the _apt user, since I think that by default, all programs run as root? (I checked using the htop command.)
  2. What would’ve happened if the UID did not belong to a user on the host machine?
  3. I don’t think rootless mode is enabled, so what user is it actually running as (outside of the container)?

As I was trying to explain, the username does not matter at all. Without rootless Docker or using user namespaces both the container and the host will use UID 0 for the root user. Everything else can be different. Each container has its own user database and the container “decides” which ID will belong to which username. So you see the owner of a process is _apt because the host knows UID 100 and “thinks” it is the ID of “_apt” so it shows you to help you see a friendly name. If the container uses a userid which is not mapped to a username on the host, then you will see the userid not the name. No other difference.

User namespaces are to separate the user IDs in a container from the host. So the root user gets UID 0 on the host and it gets for example UID 100000 inside the container, except that the container “thinks” it has UID 0. It is just lying to the container about the UID.

Rootless containers are similar. If you don’t run the container as root, you will not have the permission to use any ID like UID 0 so it has to use user namespaces.

Ah ok, thank you very much! I appreciate your help. This clears up a lot of my confusion.