Docker Community Forums

Share and learn in the Docker community.

Portable way to grant a non-root container user access to a device

Hi everyone! I have an application deployed with a Docker Compose file that uses webcams. Historically, my service has run as root with privileged: true, which has allowed me to access all webcams on the user’s device without a problem. Now I’m trying to be a more responsible service by running as a normal user in the container, but in doing so I’ve lost access to the /dev/video* devices. My first inclination was to add my container user to the video group with group_add, but this appears not to be portable because different distributions assign the video group to different group IDs.

For example, in my Arch Linux host environment:

$ cat /etc/group | grep "video"
video:x:986:velovix

But in an ubuntu:18.04 container:

$ cat /etc/group | grep "video"
video:x:44:

This is problematic because the /dev/video* files that are added to the container maintain the group IDs from the host environment.

$ ls -l /dev/video0
crw-rw---- 1 root 986 81, 0 May  4 23:51 /dev/video0

Does anyone know of a portable way to grant my non-root container user access to these webcam devices?

I suspect that Stack Overflow might be a better platform for a support question like this, so I posted it there: https://stackoverflow.com/q/61620458/2159348

Well I’m afraid there’s no “easy way” around this … other than to write a script that detects the right video group an “adds” you user to that group every time the container starts. Otherwise you’ll need to build separate images for each distribution where you hardwire the group id’s to your app-user.

There is alway the possibility to add a user and group in the container and give them random id’s. Use -u when starting the container to let docker replace the uid/gid with those specified in -u. This also works with docker-compose.