Containers and users/groups

LQ496873 · 01-23-2024, 03:10 PM

I could easily hammer out a 1000 word question here but to keep it blunt...

When creating a docker container what should I set uid and gid to?

I did a test drive of my home server and got everything working great but now I'm doing the final install (ha!!) I need to get this right, but completely overlooked it earlier.

A bit of context...
I've installed openSUSE MicroOS which comes with a user called 'root' that is in a group called 'root'. The first thing I did after booting up for the first time is create a user called 'server' and put it in two groups; 'users' and 'docker'.

Given docker is essentially a group with the same privileges as root (at least I read/think it is!) and it's a read-only OS is this user necessary? Should I just use the root user?

I've completely stumped myself because I ran a docker command to create a cloudflare tunnel, then did a nextcloud install with a custom data directory but later noticed that directory has a user called '33' and is in the root group... I've no idea where that '33' comes from. And now I'm looking at adding a gitea container too and see the template docker-compose has uid:gid of 1000:1000. The server user has a uid of 1000 but I don't have a group with gid of 1000 so looked into changing it and I suddenly realised I don't understand users and groups in the context of what I'm doing, or at all! The final nail in the coffin was when I created the directory /home/server/docker-compose to keep my docker-compose files and saw it's in the group, 'docker'. Why? and how? did it do that!

So, to go back to my first question.... When creating a docker container what should I set uid and gid to? And is it worth creating a user when I'm using an immutable container host?

Thank you!

pan64 · 01-24-2024, 06:01 AM

it depends on the functionality, usually an independent user/group is suggested.

LQ496873 · 01-25-2024, 09:42 AM

Thank you for your reply... long story short - my worry is over. I shoudl have read more of the docker docs before posting (usually the case!) I've stopped using the docker group and made a note not to add '--privileged' to a docker run command. Not that I did but...

sundialsvcs · 02-13-2024, 08:44 AM

"UID/GID" is one of the illusions that a container system maintains for its "guests."

To quote Aladdin: The guests may think that they have "phenomenal cosmic powers" (i.e. "root"), but to the host they actually have "iddy-biddy living space."

However, from the point-of-view of the container guests, the "illusion" is not an illusion at all.

But, always be sure that "'root' on the guest" is not "'root' on the host," even though this is usually an option.