The -u/--user option for docker run is useful only for local accounts listed in /etc/passwd. If host system is integrated with ldap, the users won't have an entry in this file. Docker run fail, as it's unable to find those users.
In the below example, user bhuvan is in ldap, but docker run don't allow to use this account. Docker should have an ability to use host system auth mechanism.
$ docker run --user=bhuvan --rm -i -t --net host centos:centos6 /bin/bash
2014/07/16 16:45:54 Error response from daemon: Cannot start container 95ef5ab02d7471b509fcaa37c22afe48b04af3c57db5b72264f84136c97bec39: finalize namespace setup user get supplementary groups Unable to find user bhuvan
bhuvan
All 3 comments
If you are running docker in the bhuvan account, you can enter into the container as the bhuvan user by setting the -u flag like so:
-u=$(id -u $(whoami)):$(id -g $(whoami))
Note that inside the container, you will not see the name but the actual UID and GID.
louden
on 24 Jul 2014
@bhuvaneswaran You need to set this up within your container. Integrating with ldap now isn't possible.
Ldap integration for Docker might become possible in the future, but it's not supported for now. This should become possible once plugins are supported.
unclejack
on 29 Jul 2014
@louden I've run into this same issue years later, and if I try to pass in the user and they are only stored in LDAP and not /etc/passwd I'm unable to use them inside the container even with your code snippet.
Sadly I highly doubt our network admins would appreciate me creating a local user (if I have the permissions) and running docker with that user just to work around the fact that it can't query the network authentication for the user that doesn't "exist" on the system according to /etc/passwd.
dragon788
on 11 Oct 2017
Related issues
gndgnd
·
3Comments
ailjushkin
·
3Comments
Nurza
·
3Comments
kunyan
·
3Comments
subchen
·
3Comments
Most helpful comment
If you are running docker in the
bhuvanaccount, you can enter into the container as thebhuvanuser by setting the-uflag like so:Note that inside the container, you will not see the name but the actual UID and GID.