Should I Create One Unique User per Docker Container or Share a User for All?

0
22
Asked By CreativeTaco42 On

I'm currently setting up a Docker environment with bind-mounted directories for my downloaded files, but I'm running into issues with the container creating files with random user and group ownership. I know that I can set the USER in the container to match a host user, but I'm confused about which host user to use. It seems like setting the same user for all containers would be convenient, but if a container gets compromised, it could potentially access all the other containers' data. On the other hand, creating a separate user on the host for each container might be tedious, but it offers better isolation. Is there a preferred option here? Are there other methods I should consider? I've found that I can address some ownership mismatches with user ID mapping while binding directories, but I'd still like advice on the broader setup!

3 Answers

Answered By DevDude101 On

Going rootless can be tricky but effective. Alternatively, you might want to check out user namespace remapping as a less painful solution for managing user permissions across containers.

NinjaNerd13 -

That's a good point! But still, which UID:GID should be used inside the containers? Is it really better to have one host user for everything or create separate users for each container?

Answered By CloudyCoder23 On

Just remember that users are identified by their user IDs (UIDs) under the hood. If you have a user with the same ID on your host system, it will act as that same user. I recommend using UIDs instead of usernames for accuracy. If you're looking for a more structured approach, you might want to consider exploring Kubernetes and its permissions system for a larger setup.

LostInDocker45 -

I get the technical details for setting the container USER but am really confused about the strategy: should I go for dedicated users for each container or stick to a shared host user?

Answered By TechieTurtle87 On

In an ideal scenario, you would go rootless and assign a distinct user ID for each Docker container without giving it permissions on the host. This approach minimizes risks; if one container gets compromised, it wouldn't be able to access the data of another container. However, in reality, many people use a single user ID for convenience, especially when security is not a top concern. Just remember to limit its privileges on the host OS!

HelpfulHummingbird99 -

So, for a high UID:GID like `docker run --user 3000:3000`, that won't conflict with any host users, that's the way to go, right?

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.