Home > Back-end >  Why docker image is running using some random user, even after providing --user?
Why docker image is running using some random user, even after providing --user?

Time:03-31

I am trying to run docker image using under my user name, but when I checked it was running under some random user name(awoodard). And now I am not even able to kill it since as per the error, my user is not a part of sudoers. I am a novice in this field and not aware of such technicalities. May I request you to help me with this?

FROM nvidia/cuda:11.1-devel-ubuntu20.04

RUN apt-get update && apt-get -y --no-install-recommends install \
    apt-utils \
    curl \
    ca-certificates \
    sudo \
    git \
    bzip2 \
    libx11-6 \
    wget \
    build-essential \
    pkg-config \
    vim

RUN mkdir /app
WORKDIR /app
VOLUME /app

CMD bash
RUN rm /bin/sh && ln -s /bin/bash /bin/sh


ENV user gauravs
RUN adduser --disabled-password --gecos '' --shell /bin/bash ${user} \
       && chown -R ${user}:${user} /app \
       && adduser ${user} sudo
RUN echo "%sudo ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers
USER ${user}


ENV PATH=/home/${user}/.local/bin:$PATH
RUN sudo chmod 777 -R /app
RUN sudo chmod 777 /home/${user}

RUN sudo apt-get  -y --no-install-recommends install python3-dev
RUN sudo apt-get  -y --no-install-recommends install  python3-pip

When I used ps aux|grep

awoodard 2805117 8778  0.6 27876664 5175500 ?    Rsl  10:31 8783:54 python3 main.py --gpu_num 1
gauravs  2808325  0.0  0.0   9032  2708 pts/1    S    12:11   0:00 grep --color=auto 2805117

CodePudding user response:

Linux users and groups use numeric ID's (UID and GID). As numeric IDs are not very convenient to use, you can also "create" a user (or group). Creating a user/group associates a name with a numeric ID (along with some other metadata, such as "the default shell" and the user's home-directory, etc.). User names are usually stored within /etc/passwd (the name of that file is a bit poorly chosen: there's no passwords in there). Commands, such as ps use the information in /etc/passwd to lookup the user's name. So when it finds a process running as UID 1000, it looks up the name associated with UID 1000, and shows that.

When you create a user within the container, the first available (not yet associated with a name) numeric UID is picked, and the user's name is written to /etc/passwd (within the container).

If you run ps within the container, it looks up that name in the /etc/passwd file within the container, but when you run ps from outside the container, it looks in /etc/passwd on the host. If the host happens to have an entry in /etc/passwd for the same UID that's running in the container (more accurately: in the container's namespace), it will show the name for that UID it found on the host, which may be a different name than you used within the container.

If you use the n option on ps, the command skips looking up user (and group) names, showing their numeric UID/GID instead (see ps(1)), doing so should show the same UID/GID when run inside and outside the container.

It's worth noting that, while creating a user is usually needed on a Linux machine (to configure the shell, home-directory, password etc), containers are not VM's, and the USER instruction in a Dockerfile (and --user flag on docker run) does not start a new user session (it does not "log in" the user), instead only instructs Docker (or other container runtimes) to run the process with the given user and group.

Because of that, it's also possible to run a process as a different user, without actually "creating" a user, for example:

docker run --rm --user=123:456 busybox id
uid=123 gid=456

If no entry exists in /etc/passwd for that user, the id command shows the numeric IDs (as can be seen above), and when using an existing user, it shows the names associated:

docker run --rm --user=1:1 busybox id
uid=1(daemon) gid=1(daemon)
  • Related