Running non-root Docker within Ubuntu Docker container

Question

I'm trying to run a Docker build within a Docker container based upon Ubuntu 20.04. The container needs to run as a non-root use for the build process before the Docker build occurs.

Here's some snippets of my Dockerfile to show what I'm doing:

FROM amd64/ubuntu:20.04

# Install required packages
RUN apt-get update && apt-get install -y software-properties-common
                                        build-essential \
                                        libssl-dev \
                                        openssl \
                                        libsqlite3-dev \
                                        libtool \
                                        wget \
                                        autoconf \
                                        automake \
                                        git \
                                        make \
                                        pkg-config \
                                        cmake \
                                        doxygen \
                                        graphviz \
                                        docker.io

# Add user for CI purposes
RUN useradd -ms /bin/bash ciuser
RUN passwd -d ciuser

# Set docker group membership
RUN usermod -aG docker ciuser

# Run bash as the non-root user
CMD ["su", "-", "ciuser", "/bin/bash"]

When I run the container up, and try to run docker commands, I get an error:

$ docker run -ti --privileged=true -v /var/run/docker.sock:/var/run/docker.sock ci_container_staging
ciuser@0bb768506106:~$ docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json: dial unix /var/run/docker.sock: connect: permission denied

If I remove the running as ciuser it works ok:

$ docker run -ti --privileged=true -v /var/run/docker.sock:/var/run/docker.sock /ci_container_staging
root@d71654581cec:/# docker ps
CONTAINER ID        IMAGE                                                  COMMAND             CREATED             STATUS              PORTS               NAMES
d71654581cec        ci_container_staging   "/bin/bash"         3 seconds ago       Up 2 seconds                            vigilant_lalande
root@d71654581cec:/#

Where am I going wrong with setting up Docker via Dockerfile and then setting user to run as?

Answer 1

amd64/ubuntu:20.04 has a docker group with group id 103. Most likely the gid of the docker group for your local machine is not 103 (check getent group docker ). So even though ciuser is part of the docker group, the id is different and so the user is not granted access to the docker socket.

A simple fix would be to change the gid of the docker group in the container to match your host's:

RUN groupmod -g <HOST_DOCKER_GROUP_ID> docker

There are plenty of other ways to solve issues with mapping uid/gid to docker containers but this should give you enough information to move forward.

Example/more info:

# gid on docker socket is 998
root@c349e1d13b76:/# ls -al /var/run/docker.sock 
srw-rw---- 1 root 998 0 Apr 12 14:54 /var/run/docker.sock

# But gid of docker group is 103
root@c349e1d13b76:/# getent group docker
docker:x:103:ciuser

# root can `docker ps`
root@c349e1d13b76:/# docker ps
CONTAINER ID   IMAGE            COMMAND       CREATED              STATUS              PORTS     NAMES
c349e1d13b76   nonroot:latest   "/bin/bash"   About a minute ago   Up About a minute             kind_satoshi

# but fails for ciuser
root@c349e1d13b76:/# runuser -l ciuser -c 'docker ps'
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json: dial unix /var/run/docker.sock: connect: permission denied

# change docker gid in the container to match the one on the socket/localhost
# 998 is the docker gid on my machine, yours may (will) be different.
root@c349e1d13b76:/# groupmod -g 998 docker

# run `docker ps` again as ciuser, works.
root@c349e1d13b76:/# runuser -l ciuser -c 'docker ps'
CONTAINER ID   IMAGE            COMMAND       CREATED              STATUS              PORTS     NAMES
c349e1d13b76   nonroot:latest   "/bin/bash"   About a minute ago   Up About a minute             kind_satoshi

Answer 2

Part of the Docker metadata when it starts a container is which user it should run as; you wouldn't generally use su or sudo .

USER ciuser
CMD ["/bin/bash"] # or the actual thing the container should do

This is important because you can override the user when the container starts up, with the docker run -u option; or you candocker run --group-add extra groups. These should typically be numeric group IDs, and they do not need to exist in the container's /etc/passwd or /etc/group files.

If the host's Docker socket is mode 0660 and owned by a docker group, you can look up the corresponding group ID and specify the container process has that group ID:

docker run \
  --group-add $(getent group docker | cut -d: -f3) \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --rm \
  ci_container_staging \
  docker ps

(The container does not specifically need to be --privileged , though nothing stops it from launching additional privileged containers.)