# Running as a non-root inside a containerDocker can start a container with a

1. # Running as a non-root inside a container
2.  
3. Docker can start a container with a specific user by passing the id on the command line with `-u`.
4. The parameter to the `-u` switch is either a username or id of a user existing _inside_ the container. More precisely,
5. the container must have valid `/etc/passwd` file with the defined user:
6.  
7. $ mkdir etc
8. $ echo 'postgres:x:1000:1000::/home/postgres:/bin/sh' > etc/passwd
9.  
10. While not needed for this simple experiment, we might want to create group and shadow files for completeness:
11.  
12. $ echo 'postgres:x:1000:' > etc/group
13. $ echo 'postgres:!:16452:0:99999:7:::' > etc/shadow
14. $ echo 'postgres:!::' > etc/gshadow
15.  
16. The next step is to create a directory in our build folder and chown it to user `1000`--we don't have to have the
17. user with this id locally.
18.  
19. $ mkdir data
20. $ touch data/file
21. $ chown -R 1000:1000 data
22.  
23. We must tar the `data` directory with a `p` flag to preserve permissions. Otherwise, if we just `ADD` or `COPY` the
24. folder in the Dockerfile, the Docker daemon will re-set ownership on all files back to the root user (`0:0`).
25.  
26. $ tar -cpf data.tar data
27.  
28. Finally, we build the container. Let's also ignore the data folder so it doesn't have to be uploaded to the docker daemon as
29. part of the build environment:
30.  
31. $ echo 'data' > .dockerignore
32.  
33. $ echo 'FROM debian:jessie
34. COPY etc /etc
35. ADD data.tar /
36. VOLUME ["/data"]' > Dockerfile
37.  
38. $ docker build -t base .
39.  
40. And now we can verify that indeed the permissions are preserved:
41.  
42. $ docker run --rm -it base ls -l /data
43. total 0
44. -rw-r--r-- 1 postgres postgres 0 Jan 17 14:17 file
45.  
46.  
47. Let's run as user `postgres`:
48.  
49. $ docker run --rm -itu postgres base id
50. uid=1000(postgres) gid=1000(postgres) groups=1000(postgres)
51.  
52. The volume itself also preserves the permissions when we attach it to another container. No need to run the container, just create it; the volume is usable even when the container is not running:
53.  
54. $ docker create --name datavolume base /bin/true
55. $ docker run --rm -it --volumes-from datavolume debian:jessie ls -ln /data
56. total 0
57. -rw-r--r-- 1 1000 1000 0 Jan 17 14:17 file
58.  
59. The permissions and ownership are preserved! Any container with user 1000:1000 will have ownership of this volume. We didn't need
60. a full container to define ownership, nor `gosu` to run as a specific user.
61.  
62. This method will work for creating lightweight data volume containers as well--we don't need the `/etc/passwd` file in this volume container;
63. preserve the permissions within the folder:
64.  
65. $ tar cpv data/ | docker import - minimal
66. $ docker create --name data-only minimal :
67.  
68. We need to specify some command for `docker create`; in our case a good choice is `:`, which does nothing.
69.  
70. We can also build the same thing with a Dockerfile:
71.  
72. $ echo 'FROM scratch
73. ADD data.tar /
74. VOLUME ["/data"]' > Dockerfile
75.  
76. $ docker build -t minimal .
77. $ docker create --name minimal minimal :
78.  
79. The container that mounts this minimal volume container needs to create the user with id 1000:
80.  
81. $ docker run --rm --volumes-from minimal -it debian:jessie /bin/bash -c 'useradd postgres && ls -l /data'
82. total 0
83. -rw-r--r-- 1 postgres postgres 0 Jan 17 14:17 file