-
Notifications
You must be signed in to change notification settings - Fork 271
managing users in docker
By default, all rocker images run as the root user
Justification: This makes them easy to use as base images for other Dockerfiles. Most (all official?) base images leave the default user as root. Someone who uses FROM r-base
doesn't need to switch back and forth to the root user with a USER root (switching back and forth adds extra layers and is against the current best practices advised by Docker, as is using sudo
in Dockerfiles). This is also the most sensible default for running the RStudio images (see below).
However, all rocker images also define a non-root user which can be switched on at run time using the --user
flag to docker run
. For historical reasons, this user is docker
in [r-base] and [rocker/r-devel] but rstudio
in [rocker/rstudio] and the images that build on it ([rocker/hadleyverse], [rocker/ropensci]), hence:
docker run --user docker -ti r-base R
but with an RStudio-based image:
docker run --user rstudio -ti rocker/rstudio R
Or for simplicity, one can specify the user's UID instead. Regardless of the name, the non-root user has UID 1000 (root user has UID 0). This works on any of the images; for example:
docker run --user 1000 -ti r-base R
docker run --user 1000 -ti rocker/rstudio R
When using RStudio, the container should always be run as root (e.g. without specifying a --user
).
This allows Docker to launch the RStudio server (which needs root to launch). One must then login to the RStudio instance itself as a non-root user (rstudio
by default; see Using the RStudio image). Only specify a --user
on these containers if you are running with a custom command (e.g. the interactive terminal instances of R as shown above).
Configuring a non-root user is most important when sharing volumes with the host; see Sharing files with the host machine for details.
2023