Shulou(Shulou.com)06/01 Report--

This article mainly shows you "what is uid and gid in the docker container", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "what is uid and gid in the docker container" this article.

By default, the processes in the container run with root privileges, and this root user is the same as the root in the host. Doesn't that sound scary, because it means that once the process in the container has the right opportunity, it can control everything on the host! In this article, we will try to understand how user names, group names, user id (uid), and group id (gid) are mapped between processes within the container and host systems, which is important for system security.

Let's take a look at uid and gid.

Uid and gid are managed by the Linux kernel and determine whether privileges should be granted to a request through kernel-level system calls. For example, when a process tries to write to a file, the kernel checks the uid and gid of the creating process to determine if it has sufficient permissions to modify the file. Note that the kernel uses uid and gid instead of user and group names.

For simplicity, the rest of this article only takes uid as an example, and the system treats gid in the same way as uid.

Many students simply understand the docker container as a lightweight virtual machine, which simplifies the difficulty of understanding container technology, but it is also easy to lead to a lot of misunderstandings. In fact, unlike virtual machine technology, all containers running on the same host share the same kernel (the kernel of the host). The great value of containerization is that all these separate containers (actually processes) can share a kernel. This means that even though hundreds of containers run on the docker host, there is still only one set of uid and gid controlled by the kernel. So the same uid represents the same user in both the host and the container (even if different user names are displayed in different places).

Note that since the normal Linux tools used to display usernames do not belong to the kernel (such as commands such as id), we may see the same uid displayed as different usernames in different containers. But you can't have different privileges for the same uid, even in different containers.

If you have learned about Linux's user namespace technology, refer to "Linux Namespace: User". You should note that so far, docker has not enabled user namesapce by default, which is also discussed in this article. The author will explain how to configure docker to enable user namespace in the next article.

Root users are used by default in the container

If you do not make relevant settings, the processes in the container start with root user rights by default. The following demo runs the sleep program using ubuntu image:

$docker run-d-name sleepme ubuntu sleep infinity

Notice that sudo is not used in the above command. The author's login user in the host is nick,uid 1000:

View the information of the sleep process in the host:

$ps aux | grep sleep

The valid user name for the sleep process is root, which means that the sleep process has root privileges.

Then go inside the container and see that the sleep process also has root permissions as before:

So, is the root user in the container the same as the root user on the host?

The answer is: yes, they correspond to the same uid. The reason we explained earlier is that the entire system shares the same kernel, while the kernel manages only one set of uid and gid.

In fact, we can simply verify the above conclusion through data volumes. Create a file on the host that only root users can read and write:

Then mount it to the container:

$docker run-- rm-it-w=/testv-v $(pwd) / testv:/testv ubuntu

You can read and write this file in the container:

We can specify the user identity of the process in the container through the USER command in Dockerfile or the-- user parameter of the docker run command. Let's explore these two situations respectively.

Specify user identity in Dockerfile

We can add a user appuser to Dockerfile and use the USER command to specify that the program runs as that user. The content of Dockerfile is as follows:

FROM ubuntuRUN useradd-r-u 1000-g appuserUSER appuserENTRYPOINT ["sleep", "infinity"]

Compile into an image named test:

$docker build-t test.

Start a container with a test image:

$docker run-d-name sleepme test

View the information of the sleep process in the host:

The valid user shown this time is nick, because in the host, the name of the user whose uid is 1000 is nick. Then go into the container and take a look:

$docker exec-it sleepme bash

The current user in the container is the appuser we set. If you look at the / etc/passwd file in the container, you will find that the uid of the appuser is 1000, which is the same as the uid of the user nick in the host.

Let's create another file that only the user nick can read and write:

It is also mounted into the container as a data volume:

$docker run-d-name sleepme-w=/testv-v $(pwd) / testv:/testv test

In the container, the owner of testfile becomes appuser, and of course appuser has permission to read and write to the file.

What's going on here? And what does all this mean?

First, there is a user nick with a uid of 1000 in the host system. Secondly, the program in the container runs as appuser, which is specified by us in the Dockerfile program through the USER appuser command.

In fact, there is only one uid 1000 managed by the system kernel, which is considered the user nick in the host and the user appuser in the container.

So one thing we need to be clear about: inside the container, the user appuser can obtain the rights and privileges of the user nick outside the container. The privileges granted to the user nick or uid 1000 on the host will also be granted to appuser in the container.

Customize the user identity from the command line arguments

We can also specify the user identity of the process in the container through the-- user parameter of the docker run command. For example, execute the following command:

$docker run-d-user 1000-name sleepme ubuntu sleep infinity

Because we instructed the argument-- user 1000-- on the command line, the valid user of the sleep process is shown here as nick. Go inside the container and take a look:

$docker exec-it sleepme bash

What's going on here? The user name is displayed as "I have no name!"! Check the / etc/passwd file, and sure enough, there are no users with a uid of 1000. Even without a user name, it does not in any way affect the permissions of that user's identity, it can still read and write files that only nick users can read and write, and the user information is replaced by the user name by uid:

It is important to note that the user identity specified by docker run-- user when creating the container overrides the value specified in Dockerfile.

We re-run the two containers through the test image:

$docker run-d test

View sleep process information:

$docker run-- user 0-d test

View the sleep process information again:

Processes that specify the-- urser 0 parameter show that the valid user is root, indicating that the command-line argument-- user 0 overrides the setting of the USER command in Dockerfile.

The above is all the content of the article "what are uid and gid in the docker container?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.