First of all, I've found a lot of discussions that mention how to define a user in the dockerfile so a .NET application within a docker container does not run with root privileges.

However I think this is not applicable to my use case, as I don't know the user when building my docker image (executing the dockerfile).

The use case is as follows: We run multiple containers from our image. Each container is the processing unit for a separate tenant. Every tenant needs to be separated also in filesystem, hence needs a separate user. When the container is run, we mount directories of the host system into the container. The application within the container should then write files to the mounted directories with privileges of the tenant it belongs to (user on the host system).

I'm pretty new to docker, but as I understand it, I won't be able to solve this issue within the dockerfile (please correct me if I'm wrong!)

I know docker run has the -user option where you can configure a user to the container, however this doesn't seem to get used by the .NET application inside the container.

How can I configure my docker container and .NET application, so I can have separate tenant users?

CodePudding user response：

You can set the user and group of the user running the container on the docker run command. If your tenant's username is 'tenant1' you could do

docker run -d -u $(id -u tenant1):$(id -g tenant1) myimage

The container will then be run with the UID and GID of the tenant's user on the host.