How can I see which user launched a Docker container?

As far as I know, docker inspect will show only the configuration that the container started with.

Because of the fact that commands like entrypoint (or any init script) might change the user, those changes will not be reflected on the docker inspect output.

In order to work around this, you can to overwrite the default entrypoint set by the image with
--entrypoint="" and specify a command like whoami or id after it.

You asked specifically to see all the containers running and the launched user, so this solution is only partial and gives you the user in case it doesn't appear with the docker inspect command:

docker run --entrypoint "" <image-name> whoami

Maybe somebody will proceed from this point to a full solution (:


Read more about entrypoint "" in here.


I found a solution. It is not perfect, but it works for me.

I start all my containers with an environment variable ($CONTAINER_OWNER in my case) which includes the user. Then, I can list the containers with the environment variable.

Start container with environment variable

docker run -e CONTAINER_OWNER=$(whoami) MY_CONTAINER

Start docker compose with environment variable

echo "CONTAINER_OWNER=$(whoami)" > deployment.env # Create env file
docker-compose --env-file deployment.env up

List containers with the environment variable

for container_id in $(docker container ls -q); do
    echo $container_id $(docker exec $container_id bash -c 'echo "$CONTAINER_OWNER"')
done

There's no built in way to do this.

You can check the user that the application inside the container is configured to run as by inspecting the container for the .Config.User field, and if it's blank the default is uid 0 (root). But this doesn't tell you who ran the docker command that started the container. User bob with access to docker can run a container as any uid (this is the docker run -u 1234 some-image option to run as uid 1234). Most images that haven't been hardened will default to running as root no matter the user that starts the container.

To understand why, realize that docker is a client/server app, and the server can receive connections in different ways. By default, this server is running as root, and users can submit requests with any configuration. These requests may be over a unix socket, you could sudo to root to connect to that socket, you could expose the API to the network (not recommended), or you may have another layer of tooling on top of docker (e.g. Kubernetes with the docker-shim). The big issue in that list is the difference between the network requests vs a unix socket, because network requests don't tell you who's running on the remote host, and if it did, you'd be trusting that remote client to provide accurate information. And since the API is documented, anyone with a curl command could submit a request claiming to be a different user.

In short, every user with access to the docker API is an anonymized root user on your host.


The closest you can get is to either place something in front of docker that authenticates users and populates something like a label. Or trust users to populate that label and be honest (because there's nothing in docker validating these settings).

$ docker run -l "user=$(id -u)" -d --rm --name test-label busybox tail -f /dev/null
...
$ docker container inspect test-label --format '{{ .Config.Labels.user }}'
1000

Beyond that, if you have a deployed container, sometimes you can infer the user by looking through the configuration and finding volume mappings back to that user's home directory. That gives you a strong likelihood, but again, not a guarantee since any user can set any volume.


You can try this;

docker inspect $(docker ps -q) --format '{{.Config.User}} {{.Name}}'

Edit: Container name added to output

Tags:

Docker