How can I see which user launched a Docker container?

Question

I can view the list of running containers with docker ps or equivalently docker container ls (added in Docker 1.13). However, it doesn't display the user who launched each Docker container. How can I see which user launched a Docker container? Ideally I would prefer to have the list of running containers along with the user for launched each of them.

score 25 · Accepted Answer · answered May 27 '18 at 07:17

25

You can try this;

docker inspect $(docker ps -q) --format '{{.Config.User}} {{.Name}}'

Edit: Container name added to output

answered May 27 '18 at 07:17

Anar Bayramov

11,158
5
44
64

Thanks! Follow-up question: [How comes is Config.User is an empty string when I inspect a Docker container?](https://stackoverflow.com/q/50555080/395857) – Franck Dernoncourt May 27 '18 at 18:11
I have 6 containers running for laravel when I run command I posted on answer I get only 2 containers that run by root. However on other containers I dont get any result because they might `depend on` other container which is what happens in my case. – Anar Bayramov May 28 '18 at 01:19
Thanks. If container A depends on container B, why would it cause container A not to have a user associated with it? – Franck Dernoncourt May 28 '18 at 01:36
they actually run as user "nobody" – Anar Bayramov May 28 '18 at 01:53
interesting, thanks for the information. Nobody is less nobody than an empty string :-) – Franck Dernoncourt May 28 '18 at 01:56
18

I am pretty sure this is incorrect. The user is the user that runs the container. Not the user that launched the container (did the docker run... command) – tkarls Mar 15 '19 at 17:08
@tkarls, good point. regardless of the fact that many are interested which user container is running under and come to that question as a result. – Alex Martian Nov 25 '19 at 12:56
@tkarls i agree with you... see the answer by BMitch https://stackoverflow.com/a/68505078/52074 where he explains why you can not see who ran a container. – Trevor Boyd Smith Oct 18 '21 at 17:58
Or if you prefer a table-style like output something like this: `(echo "NAME USER"; docker inspect $(docker ps -q) --format "{{.Name}} {{.Config.User}}") | column -t -s ' '` – Bob Ortiz Nov 03 '21 at 10:11

score 20 · Answer 2 · edited Jul 23 '21 at 21:26

There's no built in way to do this.

You can check the user that the application inside the container is configured to run as by inspecting the container for the .Config.User field, and if it's blank the default is uid 0 (root). But this doesn't tell you who ran the docker command that started the container. User bob with access to docker can run a container as any uid (this is the docker run -u 1234 some-image option to run as uid 1234). Most images that haven't been hardened will default to running as root no matter the user that starts the container.

To understand why, realize that docker is a client/server app, and the server can receive connections in different ways. By default, this server is running as root, and users can submit requests with any configuration. These requests may be over a unix socket, you could sudo to root to connect to that socket, you could expose the API to the network (not recommended), or you may have another layer of tooling on top of docker (e.g. Kubernetes with the docker-shim). The big issue in that list is the difference between the network requests vs a unix socket, because network requests don't tell you who's running on the remote host, and if it did, you'd be trusting that remote client to provide accurate information. And since the API is documented, anyone with a curl command could submit a request claiming to be a different user.

In short, every user with access to the docker API is an anonymized root user on your host.

The closest you can get is to either place something in front of docker that authenticates users and populates something like a label. Or trust users to populate that label and be honest (because there's nothing in docker validating these settings).

$ docker run -l "user=$(id -u)" -d --rm --name test-label busybox tail -f /dev/null
...
$ docker container inspect test-label --format '{{ .Config.Labels.user }}'
1000

Beyond that, if you have a deployed container, sometimes you can infer the user by looking through the configuration and finding volume mappings back to that user's home directory. That gives you a strong likelihood, but again, not a guarantee since any user can set any volume.

This, unfortunately, seems to be the correct answer to the question as it was asked. — Raketenolli, Jan 06 '22 at 13:35

score 7 · Answer 3 · edited Jul 23 '21 at 20:42

I found a solution. It is not perfect, but it works for me.

I start all my containers with an environment variable ($CONTAINER_OWNER in my case) which includes the user. Then, I can list the containers with the environment variable.

Start container with environment variable

docker run -e CONTAINER_OWNER=$(whoami) MY_CONTAINER

Start docker compose with environment variable

echo "CONTAINER_OWNER=$(whoami)" > deployment.env # Create env file
docker-compose --env-file deployment.env up

List containers with the environment variable

for container_id in $(docker container ls -q); do
    echo $container_id $(docker exec $container_id bash -c 'echo "$CONTAINER_OWNER"')
done

I guess that would work if all users adhered to this system. At least it can help you tell whether a given container belongs to you or not. — Casey Jones, Dec 14 '21 at 04:17

score 3 · Answer 4 · answered Sep 23 '19 at 18:51

As far as I know, docker inspect will show only the configuration that the container started with.

Because of the fact that commands like entrypoint (or any init script) might change the user, those changes will not be reflected on the docker inspect output.

In order to work around this, you can to overwrite the default entrypoint set by the image with
--entrypoint="" and specify a command like whoami or id after it.

You asked specifically to see all the containers running and the launched user, so this solution is only partial and gives you the user in case it doesn't appear with the docker inspect command:

docker run --entrypoint "" <image-name> whoami

Maybe somebody will proceed from this point to a full solution (:

Read more about entrypoint "" in here.

score 1 · Answer 5 · answered May 27 '18 at 10:16

If you are used to ps command, running ps on the Docker host and grep with parts of the process your process is running. For example, if you have a Tomcat container running, you may run the following command to get details on which user would have started the container.

ps -u | grep tomcat

This is possible because containers are nothing but processes managed by docker. However, this will only work on single host. Docker provides alternatives to get container details as mentioned in other answer.

score 0 · Answer 6 · answered Dec 26 '22 at 20:31

0

this command will print the uid and gid docker exec <CONTAINER_ID> id

answered Dec 26 '22 at 20:31

Ahmed Abdelazim

717
7
14

Dylan B · Answer 7 · 2019-03-21T08:49:45.137

-2

 ps -aux | less

Find the process's name (the one running inside the container) in the list (last column) and you will see the user ran it in the first column

edited Mar 21 '19 at 08:49

answered Mar 21 '19 at 08:43

Dylan B

796
8
16

How can I see which user launched a Docker container?

7 Answers7

Linked