docker container with user created, where on host
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have a dockerfile with a user created so it is not running as root(best pratice)
FROM microsoft/dotnet:sdk AS build-env
WORKDIR /app
# Copy csproj and restore as distinct layers
COPY *.csproj ./
RUN dotnet restore
# Copy everything else and build
COPY . ./
RUN dotnet publish -c Release -o out
# Build runtime image
FROM microsoft/dotnet:aspnetcore-runtime
RUN groupadd -g 1001 appuser && useradd -r -u 1001 -g appuser appuser
USER appuser
WORKDIR /app
COPY --from=build-env /app/out .
ENTRYPOINT ["dotnet", "ConsoleApp32.dll"]
I build the image and run the container:
docker build -f Dockerfile1 -t myappimage .
docker run -d --name myapp myappimage
And then check it running:
ps aux | grep dotnet
21569 1001 0:00 dotnet ConsoleApp32.dll
So running as uid 1001.
I then check host for this user:
cut -d: -f1 /etc/passwd
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
man
postmaster
cron
ftp
sshd
at
squid
xfs
games
postgres
cyrus
vpopmail
ntp
smmsp
guest
nobody
dockremap
No sign of appuser. My understanding(which may be wrong) is we are using a shared Kernel and user should be in list.
I also looked up uid
getent passwd 1001
Which returned no result.
Can someone explain this, as I dont understand how a process is running on host as a uid of 1001 and there is no associated user
docker containers
add a comment |
I have a dockerfile with a user created so it is not running as root(best pratice)
FROM microsoft/dotnet:sdk AS build-env
WORKDIR /app
# Copy csproj and restore as distinct layers
COPY *.csproj ./
RUN dotnet restore
# Copy everything else and build
COPY . ./
RUN dotnet publish -c Release -o out
# Build runtime image
FROM microsoft/dotnet:aspnetcore-runtime
RUN groupadd -g 1001 appuser && useradd -r -u 1001 -g appuser appuser
USER appuser
WORKDIR /app
COPY --from=build-env /app/out .
ENTRYPOINT ["dotnet", "ConsoleApp32.dll"]
I build the image and run the container:
docker build -f Dockerfile1 -t myappimage .
docker run -d --name myapp myappimage
And then check it running:
ps aux | grep dotnet
21569 1001 0:00 dotnet ConsoleApp32.dll
So running as uid 1001.
I then check host for this user:
cut -d: -f1 /etc/passwd
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
man
postmaster
cron
ftp
sshd
at
squid
xfs
games
postgres
cyrus
vpopmail
ntp
smmsp
guest
nobody
dockremap
No sign of appuser. My understanding(which may be wrong) is we are using a shared Kernel and user should be in list.
I also looked up uid
getent passwd 1001
Which returned no result.
Can someone explain this, as I dont understand how a process is running on host as a uid of 1001 and there is no associated user
docker containers
add a comment |
I have a dockerfile with a user created so it is not running as root(best pratice)
FROM microsoft/dotnet:sdk AS build-env
WORKDIR /app
# Copy csproj and restore as distinct layers
COPY *.csproj ./
RUN dotnet restore
# Copy everything else and build
COPY . ./
RUN dotnet publish -c Release -o out
# Build runtime image
FROM microsoft/dotnet:aspnetcore-runtime
RUN groupadd -g 1001 appuser && useradd -r -u 1001 -g appuser appuser
USER appuser
WORKDIR /app
COPY --from=build-env /app/out .
ENTRYPOINT ["dotnet", "ConsoleApp32.dll"]
I build the image and run the container:
docker build -f Dockerfile1 -t myappimage .
docker run -d --name myapp myappimage
And then check it running:
ps aux | grep dotnet
21569 1001 0:00 dotnet ConsoleApp32.dll
So running as uid 1001.
I then check host for this user:
cut -d: -f1 /etc/passwd
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
man
postmaster
cron
ftp
sshd
at
squid
xfs
games
postgres
cyrus
vpopmail
ntp
smmsp
guest
nobody
dockremap
No sign of appuser. My understanding(which may be wrong) is we are using a shared Kernel and user should be in list.
I also looked up uid
getent passwd 1001
Which returned no result.
Can someone explain this, as I dont understand how a process is running on host as a uid of 1001 and there is no associated user
docker containers
I have a dockerfile with a user created so it is not running as root(best pratice)
FROM microsoft/dotnet:sdk AS build-env
WORKDIR /app
# Copy csproj and restore as distinct layers
COPY *.csproj ./
RUN dotnet restore
# Copy everything else and build
COPY . ./
RUN dotnet publish -c Release -o out
# Build runtime image
FROM microsoft/dotnet:aspnetcore-runtime
RUN groupadd -g 1001 appuser && useradd -r -u 1001 -g appuser appuser
USER appuser
WORKDIR /app
COPY --from=build-env /app/out .
ENTRYPOINT ["dotnet", "ConsoleApp32.dll"]
I build the image and run the container:
docker build -f Dockerfile1 -t myappimage .
docker run -d --name myapp myappimage
And then check it running:
ps aux | grep dotnet
21569 1001 0:00 dotnet ConsoleApp32.dll
So running as uid 1001.
I then check host for this user:
cut -d: -f1 /etc/passwd
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
man
postmaster
cron
ftp
sshd
at
squid
xfs
games
postgres
cyrus
vpopmail
ntp
smmsp
guest
nobody
dockremap
No sign of appuser. My understanding(which may be wrong) is we are using a shared Kernel and user should be in list.
I also looked up uid
getent passwd 1001
Which returned no result.
Can someone explain this, as I dont understand how a process is running on host as a uid of 1001 and there is no associated user
docker containers
docker containers
asked Nov 15 '18 at 11:17
NoelNoel
1,67932653
1,67932653
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The user ID is shared with the host: it’s 1001. The name of that user comes from looking it up in the /etc/passwd
file. Since the host and container have different filesystem spaces, they have different passwd files; the kernel doesn’t know anything about a user’s name.
The corresponding FAQ: it doesn’t matter if you have users named pat
on both the host and in the container; if their numeric user IDs don’t match up, and you’re on Linux, and you’re trying to share content with docker run -v
, one user won’t be able to access the other’s files.
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53318282%2fdocker-container-with-user-created-where-on-host%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The user ID is shared with the host: it’s 1001. The name of that user comes from looking it up in the /etc/passwd
file. Since the host and container have different filesystem spaces, they have different passwd files; the kernel doesn’t know anything about a user’s name.
The corresponding FAQ: it doesn’t matter if you have users named pat
on both the host and in the container; if their numeric user IDs don’t match up, and you’re on Linux, and you’re trying to share content with docker run -v
, one user won’t be able to access the other’s files.
add a comment |
The user ID is shared with the host: it’s 1001. The name of that user comes from looking it up in the /etc/passwd
file. Since the host and container have different filesystem spaces, they have different passwd files; the kernel doesn’t know anything about a user’s name.
The corresponding FAQ: it doesn’t matter if you have users named pat
on both the host and in the container; if their numeric user IDs don’t match up, and you’re on Linux, and you’re trying to share content with docker run -v
, one user won’t be able to access the other’s files.
add a comment |
The user ID is shared with the host: it’s 1001. The name of that user comes from looking it up in the /etc/passwd
file. Since the host and container have different filesystem spaces, they have different passwd files; the kernel doesn’t know anything about a user’s name.
The corresponding FAQ: it doesn’t matter if you have users named pat
on both the host and in the container; if their numeric user IDs don’t match up, and you’re on Linux, and you’re trying to share content with docker run -v
, one user won’t be able to access the other’s files.
The user ID is shared with the host: it’s 1001. The name of that user comes from looking it up in the /etc/passwd
file. Since the host and container have different filesystem spaces, they have different passwd files; the kernel doesn’t know anything about a user’s name.
The corresponding FAQ: it doesn’t matter if you have users named pat
on both the host and in the container; if their numeric user IDs don’t match up, and you’re on Linux, and you’re trying to share content with docker run -v
, one user won’t be able to access the other’s files.
answered Nov 15 '18 at 14:16
David MazeDavid Maze
16k31632
16k31632
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53318282%2fdocker-container-with-user-created-where-on-host%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown