I really like Docker, I really do. I like the concepts and features. I’m not a Docker newbie, but not an expert either.
My usecase: I work for a company developing software, and I want to use docker as means to ship and deploy our product to our companies servers. Our software produces logfiles, and needs some persisent configuration that should not be lost when installing and update, so obviously we use some docker volumes.
I understand most Docker concepts, have created Dockerfiles, our CI server builds images, all works fine.
But one thing I have not found so far is this:
Is there a recent /official / complete best-practice document for how to approach the docker image user management, and the impact on volume permissions, when not using a dedicated host per container?
Some more elaboration.
Obviously containers should not run as root, for security reasons. I get that. Therefore, the image should contain instructions that creates another user. OK. We use the linux useradd command for that.
Browsing areound, I find generally two variations in Dockerfiles:
- useradd without a specifc UID
- useradd with a specific UID
(example: postgres: RUN groupadd -r postgres --gid=999 && useradd -r -g postgres --uid=999 postgres)
When these containers create volumes, the UID of the container is used for file permissions
So, when I install multiple applications on a same docker host, the volumes of these containers are owned by uid 999 (postgres), or 200 (JFrog artifactory), 500 (Sonatype Nexus) on the linux host.
Which leads me to wonder: when a container creates a user, is it automatically created on the docker host server as well? I guess not; the uid and gid are just numbers, without a reference to user on the host?
Let’s continue with the example JFrog Artifactory developers, who have appearanly chosen uid 200 for their user.
This raised the following concerns / questions to me:
- What if the host server already contains a uid 200 for a real linux user, and then you deploy an artifactory container (which also makes use of uid 200). What is the impact / risk ? Will that existing user have permissions to all artifactory volumes?
- What if another company decided to use uid 200 in its Dockerfile, and a container of that other company was already installed on the docker host, and then you deploy an artifacory container.
What is the impact / risk ? Will there be a conflict / clash for uid 200?
Or, another, similar scenario I can think of:
- Install postgres as an rpm on a linux server. Automatically, a user ‘postgres’ is created on the host server.
- Then, install docker, and a postgres container (ok, why would you do that…).
-> What is the risk / impact for having a user ‘postgres’ on the host, and a user ‘postgres’ in the container? I guess they will have different uids. But is there a potential issue?
So, in short, I like the idea of using a docker server with multiple containers for different applications, because the overhead of each container is much less - compared to a virtual machine for each application. But I’m really looking for a good advice / documentation of how to deal with users and permissions for that case.
And from another perspective, as a company, we want to build an ship containers to a docker host server that we are not maintaining ourselves
- what uid should we choose for our user?
- what requirements should we pose to our customers, to avoid any conflicts with user names or uid’s or gid’s ?
Is there a resource available that provides an answer to these questions?