Docker Community Forums

Share and learn in the Docker community.

Multiple unprivileged linux dockers with id mapping possible?


#1

Hello,

I wonder about leaving lxc using docker instead.

I have used privileged lxc containers for years. Currently I wanted to run unpriviledged lxc containers. Well, one lxc container with user mapping to my hostuser runs fine.
More than that one is making troubles I can’t solve so far and neither I got help, yet.

As far as I have read about docker, it depends on using root at least to start the application, or there is a real root (0:0) in the linux container - by design. Running unpriviledged seems possible but is no standard. - So I expect the same or other problem when doing so.

What do you think, can I have multiple unprivileged linux dockers with id-mappings to the hostuser?


(Metin Y.) #2

Every image should be preped in a way that the main process is started as a unprivileged user:

Of course it is: see https://docs.docker.com/engine/reference/run/#user
You need to create a unpriviliged user in a RUN instruction, then the user of the first USER instruction can be overriden by docker run --user

It is also possible to declare the user setting in docker-compose.yml.

Another possibility is to use a system deamon like s6-overlay. They typicaly require root during start, but allow to execute the main process with a unprivileged user.

While the second approach allows to correct permissions in mounted volume, the first approach is a purer approach, which typical has easier to read/write/understand Dockerfiles.


#3

Thank you for your answer. I solved my problem running multiple unpriviledged lxc containers. I prefer staying with them. Maybe one day I come to need docker, too.

Cheerio.