Is it necessary or better to use a dedicated user to run Docker?

Hi

I’m new to Docker and use Ubuntu 22.04

Should I create a dedicated user to install and run Docker e.g. similar to running Tomcat?

If so, what permissions should this user have?

Thanks

There are two options to increase security:

  1. run Docker as rootless, so overall Docker and it’s containers never get root privilege.

  2. run services/containers with a different user

By default Docker and it’s containers are running as root. That made it always easy, because you never had to worry about permissions.

But we are moving more towards “zero trust” and it totally makes sense to restrict access.

It’s just more work and more things to think about. For example when using bind mounts, you need to create the user and folders on host and pass the user-id to the container.

This gets more complex when using Docker Swarm, which can not run as rootless itself, as overlay networks still require root. And now you have to ensure users and folders exist on every node.

1 Like

Another recent post about security

Hi I initially used “sudo apt install docker.io -y” and it seems to run fine

I then discovered these instructions Install Docker Engine on Debian | Docker Docs

  1. Should I uninstall docker and then follow this process to reinstall?
  2. What is the difference in using the simple install and more complex instructions?

Thanks

The official installation guide starts with removing the docker.io package, so that should answer the first question.

The difference is that docker.io is not published by Docker Inc, so it is not officially supported and could have different versions and not always the latest. Sometimes Docker doesn’t work as expected, because it is not installed from the official repository, so I highly recommend following the official gude always.

1 Like