-
Notifications
You must be signed in to change notification settings - Fork 273
managing users in docker
By default, all rocker images run as the root user.
Justification: This makes them easy to use as base images for other Dockerfiles. Most (all official?) base images leave the default user as root. Someone who uses FROM r-base doesn't need to switch back and forth to the root user with a USER root (switching back and forth adds extra layers and is against the current best practices advised by Docker, as is using sudo in Dockerfiles). This is also the most sensible default for running the RStudio images (see below).
However, all rocker images also define a non-root user which can be switched on at run time using the --user flag to docker run. In a production environment you may consider to run rocker with a non-root user for more security. For historical reasons, this user is docker in r-base and rocker/r-devel but rstudio in rocker/rstudio and the images that build on it (rocker/hadleyverse, rocker/ropensci), hence:
docker run --user docker -ti r-base R
but with an RStudio-based image:
docker run --user rstudio -ti rocker/rstudio R
Or for simplicity, one can specify the user's UID instead. Regardless of the name, the non-root user has UID 1000 (root user has UID 0). Other UIDs are not available at run time.
docker run --user 1000 -ti r-base R
docker run --user 1000 -ti rocker/rstudio R
When running rocker with a non-root user the docker user is still able to install packages. The user docker is member of the group staff and could write to /usr/local/lib/R/site-library.
When using RStudio, the container should always be run as root (e.g. without specifying a --user).
This allows Docker to launch the RStudio server (which needs root to launch). One must then login to the RStudio instance itself as a non-root user (rstudio by default; see Using the RStudio image). Only specify a --user on these containers if you are running with a custom command (e.g. the interactive terminal instances of R as shown above).
Configuring a non-root user is most important when sharing volumes with the host; see Sharing files with the host machine for details. Keep in mind that it is the UID, not the user name, which must match between the container and the host in order to avoid changing permissions.