Skip to content

managing users in docker

Carl Boettiger edited this page Jan 14, 2015 · 7 revisions

By default, all rocker images run as the root user

Justification: This makes them easy to use as base images for other Dockerfiles. Most (all official?) base images leave the default user as root. Someone who uses FROM r-base doesn't need to switch back and forth to the root user with a USER root (switching back and forth adds extra layers and is against the current best practices advised by Docker, as is using sudo in Dockerfiles). This is also the most sensible default for running the RStudio images (see below).

However, all rocker images also define a non-root user which can be switched on at run time using the --user flag to docker run. For historical reasons, this user is docker in [r-base] and [rocker/r-devel] but rstudio in [rocker/rstudio] and the images that build on it ([rocker/hadleyverse], [rocker/ropensci]), hence:

docker run --user docker -ti r-base R

but with an RStudio-based image:

docker run --user rstudio -ti rocker/rstudio R

Or for simplicity, one can specify the user's UID instead. Regardless of the name, the non-root user has UID 1000 (root user has UID 0). This works on any of the images; for example:

docker run --user 1000 -ti r-base R
docker run --user 1000 -ti rocker/rstudio R

When using RStudio, the container should always be run as root (e.g. without specifying a --user).

This allows Docker to launch the RStudio server (which needs root to launch). One must then login to the RStudio instance itself as a non-root user (rstudio by default; see Using the RStudio image). Only specify a --user on these containers if you are running with a custom command (e.g. the interactive terminal instances of R as shown above).

Configuring a non-root user is most important when sharing volumes with the host; see Sharing files with the host machine for details.