Docker Container User Mapping

Root (id = 0) is the default user of the container. The creator of Docker image can add new user.

For example, the dockerfile of Jenkins image is this:

From JAVA:8-JDK RUN apt-get update && apt-get install-y wget git curl zip && rm-rf/var/lib/apt/lists/*
Env Jenkins_home/var/jenkins_home Env jenkins_slave_agent_port 50000 # Jenkins is run with user ' JENKINS ', uid = 1000 # If You bind mount a volume from the host or a data container, # Ensure your use the same UID RUN useradd-d "$JENKINS _hom E "-U 1000-m-s/bin/bash Jenkins # Jenkins Home Directory is a volume, so configuration and build history # can be pers Isted and Survive image upgrades Volume/var/jenkins_home # '/usr/share/jenkins/ref/' contains all reference configuratio n We want # to set on a fresh new installation.
Use the IT to bundle additional plugins # or config file with your custom Jenkins Docker image. RUN mkdir-p/usr/share/jenkins/ref/init.groovy.d ENV tini_sha 066ad710107dc7ee05d3aa6e4974f01dc98f3888 # use TINI as Su Breaper in Docker container to adopt zombie processes RUN CURL-FL https://github.com/krallin/tini/releases/download/v0.5 .0/tini-static-o/bin/tini && chmod +x/bin/tini \ && echo "$TINI _sha/bin/tini" | Sha1sum-c-COPY Init.groovy/usr/share/jenkins/ref/init.groovy.d/tcp-slave-agent-port.groovy ENV JENKINS_VERSION 1.625.3 ENV Jenkins_sha 537d910f541c25a23499b222ccd37ca25e074a0c # could use ADD and this one does not check Last-modifi Ed Header # See https://github.com/docker/docker/issues/8331 RUN CURL-FL http://mirrors.jenkins-ci.org/war-stable/$ Jenkins_version/jenkins.war-o/usr/share/jenkins/jenkins.war \ && echo "$JENKINS _sha/usr/share/jenkins/ Jenkins.war "|  Sha1sum-c-ENV jenkins_uc https://updates.jenkins-ci.org RUN chown-r JENKINS "$JENKINS _home"/usr/share/jenkins/ref # For main web interface:expose 8080 # would be used by attached slave agents:expose 50000 ENV Copy_reference_file_log $ Jenkins_home/copy_reference_file.log USER Jenkins copy jenkins.sh/usr/local/bin/jenkins.sh entrypoint ["/bin/tini", " --","/usr/local/bin/jenkins.sh "] # from a derived DockErfile, can use ' RUN plugins.sh active.txt ' to setup/usr/share/jenkins/ref/plugins from a support bundle COPY plugins.sh /usr/local/bin/plugins.sh

Please note this line:

RUN useradd-d "$JENKINS _home"-u 1000-m-s/bin/bash JENKINS

The author created a new user called Jenkins, specifying its UID as 1000.

If we do not load any volume into the container, that is no problem. If we load a volume into a container, we have a problem with the rights.

Let's pretend that the local/opt/jenkins_home is/var/jenkins_home to the container, and the local/opt/jenkins_home is the root user.

# ls/opt
drwxr-xr-x  2 root root  4096 Dec 03:11 jenkins_home/

When the container is running, Jenkins tries to write the numbers to this target, and it will be wrong.

why.

Because the UID of the Jenkins user in the container is 1000, on the host machine, the UID is 1000 user and cannot write the root owned.

There are two ways to resolve this.

1 We have modified the owner of the local/opt/jenkins_home to be the user of the UID 1000, which assumes that the local user is Ubuntu.

# Chown-r Ubuntu:ubuntu/opt/jenkins_home

So when we put this item in the container, the Jenkins user in the container has the right to write it.

Or:

2 run through-u specify a user

The-u option for Docker run can specify the user name of the container, or the value of the option can be the username or UID.
In the case of user name, this user must exist in the container. If this is the UID, there is no such restriction.

We're still using Jenkins image for example. If I specify-u ubuntu while running, the container will be wrong:

Error:cannot start Container e0e1201fb3192d0f8e68656de3657e2ae80b111e5f72f56583c908533a89f525: [8] System Error: Unable to find user Ubuntu

Back to the problem we were just, the owner of/opt/jenkins_home is root, so the container can't write the numbers. We can use the parameters-U root when running, so that the user in the container becomes root and can write to/opt/jenkins_home.

Summary: The creator of image can specify the user of the container, because the author thinks that the process in the container does not need to use root user. The UID of the user specified by the author is usually 1000 (if the image is based on Ubuntu or Debian) to guarantee that the local user can map it.

If you do not want to use the user specified by the author during the operation, you can specify a user through the-u option. The value of the option can be either the user name or the UID.
In the case of user name, this user must exist in the container. If it is UID, this user may not exist in the container.