Understanding the User and Group
Docker images often are configured to run in the root user domain of an image. This kind of elevated access for processes inside the container is not necessary. The common scenario for these images is to run a command working off the contents of a mounted volume.
Continuous integration services will often make use of the --user flag to use a reduced permission level for execution. When running locally, the --user flag may not always be specified. In these cases, the cardboardci user acts as a user with minimum permissions to work with the /workspace directory.
Verify the user
You can see the properties of the default user by running id on the image:
docker run cardboardi/<image>:edge id
Labels
Properties of the default user for every image are made available with the label namespace org.cardboardci.image.. The following are user properties that exist within this namespace:
user- The name of the default useruid- The identifier of the default usergroup- The name of the default user groupgid- The identifier of the default user group
To obtain any of the properties listed above, you can run this for the container:
docker inspect -f '{{ index .Config.Labels "org.cardboardci.image.<property>" }}' <container_name>
Or the image:
docker inspect -f '{{ index .Config.Labels "org.cardboardci.image.<property>" }}' ghcr.io/cardboardci/<image_name>
Checking the user
If you are experiencing issues with one of the containers, it can be useful to check if the issue is due to permissions. Running the container with the root flag (--user root) or interactively debugging can be helpful.
To run a container with an interactive shell:
docker exec --user 'cardboardci' -it <container_name> /bin/bash
Or as the root user:
docker exec --user 'root' -it <container_name> /bin/bash