How can I see which user launched a Docker container?

Question

I can view the list of running containers with docker ps or equivalently docker container ls (added in Docker 1.13). However, it doesn't display the user who launched each Docker container. How can I see which user launched a Docker container? Ideally I would prefer to have the list of running containers along with the user for launched each of them.

Answer 1

You can try this;

docker inspect $(docker ps -q) --format '{{.Config.User}} {{.Name}}'

Edit: Container name added to output

Answer 2

As far as I know, docker inspect will show only the configuration that the container started with.

Because of the fact that commands like entrypoint (or any init script) might change the user, those changes will not be reflected on the docker inspect output.

In order to work around this, you can to overwrite the default entrypoint set by the image with
--entrypoint="" and specify a command like whoami or id after it.

You asked specifically to see all the containers running and the launched user, so this solution is only partial and gives you the user in case it doesn't appear with the docker inspect command:

docker run --entrypoint "" <image-name> whoami

Maybe somebody will proceed from this point to a full solution (:

---

Read more about entrypoint "" in here .

Answer 3

If you are used to ps command, running ps on the Docker host and grep with parts of the process your process is running. For example, if you have a Tomcat container running, you may run the following command to get details on which user would have started the container.

ps -u | grep tomcat 

This is possible because containers are nothing but processes managed by docker. However, this will only work on single host. Docker provides alternatives to get container details as mentioned in other answer.

Answer 4

I found a solution. It is not perfect, but it works for me.

I start all my containers with an environment variable ($CONTAINER_OWNER in my case) which includes the user. Then, I can list the containers with the environment variable.

Start container with environment variable

docker run -e CONTAINER_OWNER=$(whoami) MY_CONTAINER

Start docker compose with environment variable

echo "CONTAINER_OWNER=$(whoami)" > deployment.env # Create env file
docker-compose --env-file deployment.env up

List containers with the environment variable

for container_id in $(docker container ls -q); do
    echo $container_id $(docker exec $container_id bash -c 'echo "$CONTAINER_OWNER"')
done

Answer 5

There's no built in way to do this.

You can check the user that the application inside the container is configured to run as by inspecting the container for the .Config.User field, and if it's blank the default is uid 0 (root). But this doesn't tell you who ran the docker command that started the container. User bob with access to docker can run a container as any uid (this is the docker run -u 1234 some-image option to run as uid 1234). Most images that haven't been hardened will default to running as root no matter the user that starts the container.

To understand why, realize that docker is a client/server app, and the server can receive connections in different ways. By default, this server is running as root, and users can submit requests with any configuration. These requests may be over a unix socket, you could sudo to root to connect to that socket, you could expose the API to the network (not recommended), or you may have another layer of tooling on top of docker (eg Kubernetes with the docker-shim). The big issue in that list is the difference between the network requests vs a unix socket, because network requests don't tell you who's running on the remote host, and if it did, you'd be trusting that remote client to provide accurate information. And since the API is documented, anyone with a curl command could submit a request claiming to be a different user.

In short, every user with access to the docker API is an anonymized root user on your host.

---

The closest you can get is to either place something in front of docker that authenticates users and populates something like a label. Or trust users to populate that label and be honest (because there's nothing in docker validating these settings).

$ docker run -l "user=$(id -u)" -d --rm --name test-label busybox tail -f /dev/null
...
$ docker container inspect test-label --format '{{ .Config.Labels.user }}'
1000

Beyond that, if you have a deployed container, sometimes you can infer the user by looking through the configuration and finding volume mappings back to that user's home directory. That gives you a strong likelihood, but again, not a guarantee since any user can set any volume.

Answer 6

 ps -aux | less

在列表（最后一列）中找到进程的名称（在容器内运行的），您将看到用户在第一列中运行它

Answer 7

this command will print the uid and gid docker exec <CONTAINER_ID> id