View previous topic :: View next topic |
Author |
Message |
shimitar Guru
Joined: 23 Nov 2003 Posts: 331 Location: Italy, Torino
|
Posted: Mon Dec 18, 2023 10:35 am Post subject: Question on docker |
|
|
Hi all!
i am new to docker usage, but i need to install a few services on my server that are only provided as docker images (i am referring to LibrePhotos) or for which there are no clear or simple instructions on how to install on bare metal.
I see that the containers and the processes inside are all running as "root" (or uid 999) which greatly annoys me because all my other servies are properly constrained in specific users with groups where data needs to be shared. This docker thing does not goes down well with me.
Following the docker gentoo wiki i have created an unpriviledged user in group "docker" and i am using it to start the containers, but still everything runs as root.
I am sure i am doing something wrong here, as it's hard to believe docker stuff all needs root access.
Any insights? _________________ Willy Gardiol
willy@gardiol.org |
|
Back to top |
|
|
spica Guru
Joined: 04 Jun 2021 Posts: 329
|
Posted: Tue Dec 19, 2023 8:41 am Post subject: |
|
|
Explore the original Dockerfile utilized in crafting the image and tailor it to meet your specifications.
Additionally, consider supplying a custom UID/GID for use within the container. Keep in mind that
if the image creators did not prioritize specifying privileges within the container, merely assigning
a new UID may not yield the desired outcome.
A little bit about using the same uid/gid inside a container |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22578
|
Posted: Wed Dec 20, 2023 1:54 am Post subject: Re: Question on docker |
|
|
shimitar wrote: | I am sure i am doing something wrong here, as it's hard to believe docker stuff all needs root access.
Any insights? | As I understand it, your mistake here is in assuming that Docker is sane or reasonable. If I recall correctly, docker build will default to building an image that runs the contained processes as root unless directed otherwise in the Dockerfile build recipe. Therefore, you get the bad behavior by default. To get the good behavior, you need the authors of the relevant images to Do The Right Thing in specifying a non-root user to run as, and arranging for all relevant files in the image to be accessible in the intended way by the non-root user so picked. As spica alludes, if you only override the uid/gid of the contained process and make no other changes, there is a good chance you will break things. This override might work for simple images where the image filesystem is read-only and permissions are lax. Otherwise, the contained process may be relying on its root uid to enable it to access the files it wants. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|