1. Overview
Docker is a popular containerization tool allowing developers to construct, transport, and execute container applications.
These containers are autonomous, lightweight, and portable, operating on any host system installed with Docker. With Docker containers, developers can segregate their applications from the fundamental host system and dependencies, rendering them more dependable and secure.
In this tutorial, we’ll learn how to set a user in a Docker container from the host machine.
2. Understanding User in Docker Container
Before we dive into the process of designating a user in a Docker container, it’s important to get an idea of users in a Docker container. This default user is frequently the root user, although it can also be a non-root user, relying on the base image utilized for constructing the Docker image.
Docker images include a default user with a pre-established user ID (UID) and group ID (GID). Typically, Docker containers run as the same user as their host systems. Hence, the UID and GID of the default user of the container are the same as those of the user who started it. However, a different user can be assigned to the container, enhancing security by restricting resource access.
3. Using the Dockerfile
By default, Docker runs containers with a root user, which can create a security risk and cause permission issues when accessing files and directories. Hence, the container user should be a non-root user with appropriate permissions.
To create a new user in a Docker image, we can use a Dockerfile with the ARG, RUN, and USER instructions:
FROM alpine:latest
ARG DOCKER_USER=default_user
RUN addgroup -S $DOCKER_USER && adduser -S $DOCKER_USER -G $DOCKER_USER
USER $DOCKER_USER
CMD ["whoami"]
The above Dockerfile kicks off by adopting the most recent release of Alpine Linux. Next, it employs the ARG directive to establish a default username value. In case the user doesn’t provide a name, the value “default_user” will be utilized.
The RUN command executes two tasks: creates a group and a user inside the container. For this, it uses two directives called “addgroup” and “adduser”. The “-S” option makes a system group or user, which is more dependable. Finally, the established user is appended to the group that holds the same name.
Now, let’s take a look at the command to build the image:
$ docker build --build-arg DOCKER_USER=baeldung -t dynamicuser .
This will create a Docker image named baeldung with the new user created in the Dockerfile. Let’s run the container and check out the output of the whoami command:
$ docker run --rm --name dynamicuser dynamicuser
baeldung
The above output shows that a default user with baeldung is created inside the container.
4. Using the –user Option in docker run Command
Another way to set the user in a Docker container from the host is by providing environment variables to the docker run command. This method permits us to assign the user while the container runs, and it’s handy sometimes.
The environment variables represent the user’s UID and GID, which are applied to set the user in the container. To perform this action, we must first use the id -u and id -g commands to export the UID and GID variables from the host’s terminal. Then, we can apply these variables to the docker run command by using the –user option.
Using the id command, we can set the values for UID and GID:
$ export UID=$(id -u)
$ export GID=$(id -g)
These commands retrieve the user’s UID and GID and export them as shell environment variables named UID and GID. Furthermore, let’s look at the command to provide these values to the docker run:
$ docker run --rm
--user $UID:$GID
--workdir="/home/$USER"
--volume="/etc/group:/etc/group:ro"
--volume="/etc/passwd:/etc/passwd:ro"
--volume="/etc/shadow:/etc/shadow:ro"
alpine ash -c "whoami"
centos
The docker run command uses the –user option to set the user’s UID and GID in the container. The –workdir option sets the working directory to the user’s home directory, while the –volume option mounts necessary files from the host to the container.
The Docker container will adopt the user centos from the host machine by running the above command.
One advantage of this method is that it offers more flexibility in setting the user in the container since the UID and GID can be specified dynamically at runtime. However, it is more complicated to set up than the Dockerfile method and requires additional commands to export the UID and GID variables.
5. Conclusion
In this article, we learned how to set a user in a Docker container from the host. First, we discussed the role of a user in a Docker container. After that, we explained two ways to provide a user with a Docker container.