Docker

From HPCWIKI
Jump to navigation Jump to search

Docker container log file management

Log generated application inside container may accumuate log size as time goes on and eventually use lots of disk space.

To manage container log, one of the simple method to use --log-opt options when start container like[1]

$docker run .... --log-opt max-size=10m --log-opt max-file=3 .....

Docker container as user

Docker is a popular containerization tool. Docker containers are autonomous, lightweight, and portable, operating on any host system installed with Docker.

With Docker containers, users can isolate their applications from the fundamental host system and dependencies, rendering them more dependable and secure.

Set user in container

By default, Docker runs containers with a root user, which can create a security risk and cause permission issues when accessing files and directories.

It is good idea to make the container user should be a non-root user with appropriate permissions.

Using the --user option of docker run command

Docker offers --user option to set the UID and GID of the user inside the container while it is running.

Following command will run ubuntu image with current user who execute this command 

$docker run -it --rm -v /home/$USER:/home/$USER -w /home/$USER -u $(id -u):$(id -g) ubuntu

where,

-w means container working directory

-u host system user UID and GID

To extend this capability, following example enables execute user to login of their container using host UID/GID, if we setup ssh server inside of container. 

$ docker run --rm
    -u $(id -u):$(id -g)                    #set the user’s UID and GID in the container.
    -w $HOME                                #sets the working directory to the user’s home
    -v $HOME:$HOME                          #volume mount to container home
    -v /etc/group:/etc/group:ro             #for container authentification
    -v /etc/passwd:/etc/passwd:ro
    -v /etc/shadow:/etc/shadow:ro
    ubuntu bash -c "whoami; pwd"

Set User in Dockerfile

With custom Dockerfile, we can create new docker images by defining a specific user in container. 

FROM Ubuntu:latest                                      #base image
ARG _USER=default_user                                  #ARG for container user 
RUN addgroup -S $_USER && adduser -S $_USER -G $_USER   #Create container user/group
USER $_USER                                             #set container user
CMD ["whoami"]

Then craete Docker image

$ docker build --build-arg _USER=username -t dynamicuser .

Verify user inside of container will show the username

$ docker run --rm --name dynamicuser dynamicuser

Rootless mode

Docker Engine v19.03 introduced Rootless mode and included Docker Engine v20.10 or later.

Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime. Rootless mode does not require root privileges even during the installation of the Docker daemon, as long as the special prerequisites[2] are met.

HM Docker

HPCMATE provides customer with optimized custom docker image with or without full source of Dockerfile or compose file depending on the type of service. We also have advanced Docker tutorial course. contact to sales@hpcmate.com for more details.

Reference

  1. https://stackoverflow.com/questions/42510002/docker-how-to-clear-the-logs-properly-for-a-docker-container
  2. https://docs.docker.com/engine/security/rootless/#prerequisites
Retrieved from "http://wiki.hpcmate.com/index.php?title=Docker&oldid=1112"