When I’m asking questions about docker to ChatGPT and I came across to a question which is Is the root user (UID 0) inside container mapped to root user on host machine?. ChatGPT answers yes.
But I made my own experiments.
I run a ubuntu container and bash into that container docker run --rm -it ubuntu:latest /bin/bash.
Then, I run ps axl inside that container. I see the bash running as UID 0.
After that, in another terminal, I run this px axl again and at the end of the result, I get this 501 24775 5806 0 31 0 411855904 15312 - S+ s000 0:00.12 docker run --rm -it ubuntu:latest /bin/bash. 501 is UID.
That means. /bin/bash inside the container is running as UID 501 on my host machine.
May be I’m wrong.
What is the default behavior? Which one is correct? Is the root user (UID 0) inside container really mapped to root user on host machine?
How can I test this in another way.
I really appreciate your explanation.
There is no mapping normally. What happens is that on Linux, every user is basically a user ID. And you can map user names to the ID. It can be different on the host and in the container as the definition is just a file and files are different in the container, but UID zero is always UID zero in the container and on the host unless you have user namespaces enabled like in Rootless Docker which means your own user is indeed mapped to UID 0 in the container so whatever you do as root in the container, will actually be done as your user on the host.
If you see that the bash process runs as UID 501 on your host, that means you are indeed using user namespaces. If you don’t know about that, it is most likely a rootless Docker or a non-official Docker installation
Here is the rootless mode
On the other hand, UID 501 is not a usual user ID on Linux, at least not for interactive users.
I again asked about the 501 24775 5806 0 31 0 411855904 15312 - S+ s000 0:00.12 docker run --rm -it ubuntu:latest /bin/bash and its answer is satisfactory.
It said I got 501 because the user who run the docker run --rm -it ubuntu /bin/bash is 501.
What do you think about that?
If you start the container with -i, the docker run command starts a process attached to the container, but is not the container itself. Nevertheless, the container itself is running with the user id defined in the image.
I didn’t realize what @meyay pointed out, so what I wrote is right if you see UID 501 for the bash process, but if you just look at the docker run comand process, that is a different story. And I have the feeling you are using Docker Desktop on macOS, as that explains why you have UID 501 which is the default user ID on Mac. If you really use Docker Desktop, you will never see the bash process in the process list, since that is in the virtual machine of Docker Desktop. There is no macOS container, only Linux and Windows.
@rimelek@meyay
First, thank you both for your time and explanation.
Second, sorry for my late response.
On my mac, I run ps axfl | grep /usr/bin/containerd-shim-runc-v2 -A1, I only got one result which is /usr/bin/containerd-shim-runc-v2. I think it is because I’m using docker on macos? When I use this command on my ubuntu server, I can see my containers.
With Docker Desktop, only the cli client is running as host process. So basically it’s an api client that communicates with the api of the docker-engine inside the (linuxkit) vm. You shouldn’t be able to see the container-shim-runc-v2 processes, from inside the vm, in the process list of your host. What you saw is most likely the grep command itself. The shim is used by docker to interact with the container runtime.
On my Mac it is not even a valid command as -f us not supported by ps. But as @meyay wrote, the only thing you could see in the output is the grep command itself.