3

Recently I've been trying to run my Docker application as a non-root user. I've seen there are several options available to me:

  1. Install rootless Docker : apparently this is a "non-root" version of Docker that runs containers as users other than root.
  2. Use normal (rootful) Docker, but run containers with docker run with the --user flag.
  3. User Podman to run the container.

I am not familiar with any of these solutions, I've only ever used Docker as root. So what are the differences and advantages/disadvantages of these methods?

Isn't the result exactly the same, i.e., a container running as non-root user?

Klangen
  • 145
  • 1
  • 5

1 Answers1

2

They are different things.

  • docker run --user sets the UID to be used inside the container. It is useful to limit the privileges of the specific program which run within the container itself

  • rootless docker means running the docker daemon itself as a non-privileged user. A flaw in docker itself will be contained without giving root permissions on the host system. From docker's docs:

Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime.

  • podman is a daemon-less reimplementation of docker. Not having a central daemon to run/manage all the container instances is supposed to be more secure and lightweight
shodanshok
  • 47,711
  • 7
  • 111
  • 180
  • Should it mean that a container launched with `--user subuser` would **never** be able to access a directory on the host which is owned by `root` (which has permissions set to 700) ? I have a container launched as a sub-user, with a volume from the host, but if I `docker exec` that container, I'm still able to read/write the volume content FROM that container, including deleting root-owned files. – Arthur Attout Apr 16 '23 at 19:57
  • `docker run --user` sets the user for only the one command you run using that command. As you noted, you can always run another command as another user -- `docker exec` also has a `--user` argument. – chutz Apr 21 '23 at 02:22
  • _docker run --user sets the user for only the one command you run using that command_ does it also define the internal permissions of the container ? – Arthur Attout Apr 23 '23 at 16:06