I can view the list of running containers with docker ps or equivalently docker container ls (added in Docker 1.13). However, it doesn't display the user who launched each Docker container. How can I see which user launched a Docker container? Ideally I would prefer to have the list of running containers along with the user for launched each of them.
You can try this;
docker inspect $(docker ps -q) --format '{{.Config.User}} {{.Name}}'
Edit: Container name added to output
There's no built in way to do this.
You can check the user that the application inside the container is configured to run as by inspecting the container for the .Config.User field, and if it's blank the default is uid 0 (root). But this doesn't tell you who ran the docker command that started the container. User bob with access to docker can run a container as any uid (this is the docker run -u 1234 some-image option to run as uid 1234). Most images that haven't been hardened will default to running as root no matter the user that starts the container.
To understand why, realize that docker is a client/server app, and the server can receive connections in different ways. By default, this server is running as root, and users can submit requests with any configuration. These requests may be over a unix socket, you could sudo to root to connect to that socket, you could expose the API to the network (not recommended), or you may have another layer of tooling on top of docker (e.g. Kubernetes with the docker-shim). The big issue in that list is the difference between the network requests vs a unix socket, because network requests don't tell you who's running on the remote host, and if it did, you'd be trusting that remote client to provide accurate information. And since the API is documented, anyone with a curl command could submit a request claiming to be a different user.
In short, every user with access to the docker API is an anonymized root user on your host.
The closest you can get is to either place something in front of docker that authenticates users and populates something like a label. Or trust users to populate that label and be honest (because there's nothing in docker validating these settings).
$ docker run -l "user=$(id -u)" -d --rm --name test-label busybox tail -f /dev/null
...
$ docker container inspect test-label --format '{{ .Config.Labels.user }}'
1000
Beyond that, if you have a deployed container, sometimes you can infer the user by looking through the configuration and finding volume mappings back to that user's home directory. That gives you a strong likelihood, but again, not a guarantee since any user can set any volume.
I found a solution. It is not perfect, but it works for me.
I start all my containers with an environment variable ($CONTAINER_OWNER in my case) which includes the user. Then, I can list the containers with the environment variable.
Start container with environment variable
docker run -e CONTAINER_OWNER=$(whoami) MY_CONTAINER
Start docker compose with environment variable
echo "CONTAINER_OWNER=$(whoami)" > deployment.env # Create env file
docker-compose --env-file deployment.env up
List containers with the environment variable
for container_id in $(docker container ls -q); do
echo $container_id $(docker exec $container_id bash -c 'echo "$CONTAINER_OWNER"')
done
As far as I know, docker inspect will show only the configuration that
the container started with.
Because of the fact that commands like entrypoint (or any init script) might change the user, those changes will not be reflected on the docker inspect output.
In order to work around this, you can to overwrite the default entrypoint set by the image with --entrypoint="" and specify a command like whoami or id after it.
You asked specifically to see all the containers running and the launched user, so this solution is only partial and gives you the user in case it doesn't appear with the docker inspect command:
docker run --entrypoint "" <image-name> whoami
Maybe somebody will proceed from this point to a full solution (:
Read more about entrypoint "" in here.
If you are used to ps command, running ps on the Docker host and grep with parts of the process your process is running. For example, if you have a Tomcat container running, you may run the following command to get details on which user would have started the container.
ps -u | grep tomcat
This is possible because containers are nothing but processes managed by docker. However, this will only work on single host. Docker provides alternatives to get container details as mentioned in other answer.
this command will print the uid and gid
docker exec <CONTAINER_ID> id
ps -aux | less
Find the process's name (the one running inside the container) in the list (last column) and you will see the user ran it in the first column
Related
Running the docker registry with below command always throws an error:
dev:tmp me$ docker run \
-d --name registry-v1 \
-e SETTINGS_FLAVOR=local \
-e STORAGE_PATH=/registry \
-e SEARCH_BACKEND=sqlalchemy \
-e LOGLEVEL=DEBUG \
-p 5000:5000 \
registry:0.9.1
Error response from daemon: Conflict. The name "registry-v1" is already in use by container f9e5798a82e0. You have to delete (or rename) that container to be able to reuse that name.
How can I prevent this error ?
I got confused by this also. There are two commands relevant here:
docker run # Run a command in a **new** container
docker start # Start one or more stopped containers
That means you have already started a container in the past with the parameter
docker run --name registry-v1 ...
You need to delete that first before you can re-create a container with the same name with
docker rm registry-v1
When that container is sill running you need to stop it first before you can delete it with
docker stop registry-v1
Or simply choose a different name for the new container.
To get a list of existing containers and their names simply invoke
docker ps -a
Here what i did, it works fine.
step 1:(it lists docker container with its name)
docker ps -a
step 2:
docker rm name_of_the_docker_container
When you are building a new image you often want to run a new container each time and with the same name. I found the easiest way was to start the container with the --rm option:
--rm Automatically remove the container when it exits
e.g.
docker run --name my-micro-service --rm <image>
Sadly it's used almost randomly in the examples from the docs
Edit: Read Lepe's comment below.
Just to explain what others are saying (it took me some time to understand) is that, simply put, when you see this error, it means you already have a container and what you have to do is run it. While intuitively docker run is supposed to run it, it doesn't. The command docker run is used to only START a container for the very first time. To run an existing container what you need is docker start $container-name. So much for asking developers to create meaningful/intuitive commands.
You have 2 options to fix this...
Remove previous container using that name, with the command docker rm $(docker ps -aq --filter name=myContainerName)
OR
Rename current container to a different name i.e change this portion --name registry-v1 to something like --name myAnotherContainerName
You are getting this error because that container name ( i.e registry-v1) was used by another container in the past...even though that container may have exited i.e (currently not in use).
Cause
A container with the same name is still existing.
Solution
To reuse the same container name, delete the existing container by:
docker rm <container name>
Explanation
Containers can exist in following states, during which the container name can't be used for another container:
created
restarting
running
paused
exited
dead
You can see containers in running state by using :
docker ps
To show containers in all states and find out if a container name is taken, use:
docker ps -a
Here is how I solved this on ubuntu 18:
$ sudo docker ps -a
copy the container ID
For each container do:
$ sudo docker stop container_ID
$ sudo docker rm container_ID
removing all the exited containers
docker rm $(docker ps -a -f status=exited -q)
The Problem: you trying to create new container while in background container with same name is running and this situation causes conflicts.
The error would be like:
Cannot create continer for service X :Conflict. The name X is already in use by container abc123xyz. You have to remove ot delete (or rename) that container to be able to reuse that name.
Solution rename the service name in docker-compose.yml or delete the running container and rebuild it again (this solution related to Unix/Linux/macOS systems):
get all running containers sudo docker ps -a
get the specific container id
stop and remove the duplicated container / force remove it
sudo docker stop <container_id>
sudo docker rm <container_id>
or
sudo docker rm --force <container_id>
You can remove it with command sudo docker rm YOUR_CONTAINER_ID, then run a new container with sudo docker run ...;
or restart an existing container with sudo docker start YOUR_CONTAINER_ID
I was running into this issue that when I run docker rm (which usually works) I would get:
Error: No such image
The easiest solution to this is removing all stopped containers by running:
docker container prune
I have solved the issue by doing following steps and I hope it helps.
Type docker ps -a to list all the containers in your system.
Check the NAMES part where you have initialized your docker container.
Then type docker rm --force name_of_container
Install the docker container as you wish.
I had problem using NIFI and I have removed and reinstalled using docker. Good luck.
TL:DR;
List all containers:
docker ps -a
Remove the concerned container by id:
docker container rm <container_id>
I'm just learning docker and this got me as well. I stopped the container with that name already and therefore I thought I could run a new container with that name.
Not the case. Just because the container is stopped, doesn't mean it can't be started again, and it keeps all the same parameters that it was created with (including the name).
when I ran docker ps -a that's when I saw all the dummy test containers I created while I was playing around.
No problem, since I don't want those any more I just did docker rm containername at which point my new container was allowed to run with the old name.
Ah, and now that I finish writing this answer, I see Slawosz's comment on Walt Howard's answer above suggesting the use of docker ps -a
The OP's problem is the error. Deleting state isn't the only solution - or even a good one. The problem is docker run isn't re-entrant, and docker start is impotent w/o run. So we have to combine them.
For example to run Postgres w/o destroying previous state, try this:
docker start postgres || docker run -d -p 5432:5432 --name postgres -e POSTGRES_PASSWORD=password postgres:13-alpine
Ok, so I didn't understand either, then I left my pc, went to do other things, and upon my return, it clicked :D
You download a docker image file. docker pull *image-name* will just pull the image from docker hub without running it.
Now, you use docker run, and give it a name (e.g. newWebServer).
docker run -d -p 8080:8080 -v volume --name newWebServer image-name/version
You perhaps only need docker run --name *name* *image*, but the other stuff will become useful quickly.
-d (detached) - means the container will exit when the root process used to run the container exits.
-p (port) - specify the container port and the host port. Kind of the internal and external port. The internal one being the port the container uses, and the external one is the port you use outside of it and probably the one you need to put in your web browser if that's how you access your app.
--name (what you want to call this instance of the container) - you could have several instances of the same container all with different names, which is useful when you're trying to test something.
image-name/version is the actual image you want to create the container from. You can see a list of all the images on your system with docker images -a. You may have more than one version, so make sure you choose the correct one/tag.
-v (volume) - perhaps not needed initially, but soon you'll want to persist data after your container exits.
OK. So now, docker run just created a container from your image. If it isn't running, you can now start it with it's name:
docker start newWebServer
You can check all your containers (they may or may not be running) with
docker ps -a
You can stop and start them (or pause them) with their name or the container id (or just the first few characters of it) from the CONTAINER ID column e.g:
docker stop newWebServer
docker start c3028a89462c
And list all your images, with
docker images -a
In a nutshell, download an image; docker run creates a container from it; start it with docker start (name or container id); stop it with docker stop (name or container id).
I had this issue because I had two or more containers with the same container_name in the docker-compose.yml file.
Simple Solution: Goto your docker folder in the system and delete .raw file or docker archive with large size.
For me, the issue was that I used an image name more than once in the dockerfile.
This happened to me on the docker tutorial! The port I tried to use was taken, but docker still created.. an image? A process to run docker? I'll find out soon. Anyways, to choose a different port, I had to remove the older image, and then docker run again.
Sometimes a tutorial can be too terse. What you want is concise, not terse, or even succinct.
I use following command to build web server
docker run --name webapp -p 8080:4000 mypyweb
When it stopped and I want to restart, I always use:
sudo docker start webapp && sudo docker exec -it webapp bash
But I can't see the server state as the first time:
Digest: sha256:e61b45be29f72fb119ec9f10ca660c3c54c6748cb0e02a412119fae3c8364ecd
Status: Downloaded newer image for ericgoebelbecker/stackify-tutorial:1.00
* Running on http://0.0.0.0:4000/ (Press CTRL+C to quit)
How can I see the state instead of interacting with the shell?
When you use docker run, the default behavior is to run the container detached. This runs in the background and is detached from your shell's stdin/out.
To run the container in the foreground and connected to stdin/out:
docker run --interactive --tty --publish=8080:4000 mypyweb
To docker start a container, similarly:
docker start --interactive --attach [CONTAINER]
NB --attach rather than -tty
You may list (all add --all) running containers:
docker container ls
E.g. I ran Nginx:
CONTAINER ID IMAGE PORTS NAMES
7cc4b4e1cfd6 nginx 0.0.0.0:8888->80/tcp nostalgic_thompson
NB You may use the NAME or any uniquely identifiable subset of the ID to reference the container
Then:
docker stop nostalgic_thompson
docker start --interative --attach 7cc4
You may check the container's logs (when running detached or from another shell) by grabbing the container's ID or NAMES
docker logs nostalgic_thompson
docker logs 7cc4
HTH!
Using docker exec is causing the shell to attach to the container. If you are comparing the behavior of docker run versus docker start, they behave differently, and it is confusing. Try this:
$ sudo docker start -a webapp
the -a flag tells docker to attach stdout/stderr and forward signals.
There are some other switches you can use with the start command (and a huge number for the run command). You can run docker [command] --help to get a summary of the options.
One other command that you might want to use is logs which will show the console output logs for a running container:
$ docker ps
[find the container ID]
$ docker logs [container ID]
If you think your container's misbehaving, it's often not wrong to just delete it and create a new one.
docker rm webapp
docker run --name webapp -p 8080:4000 mypyweb
Containers occasionally have more involved startup sequences and these can assume they're generally starting from a clean slate. It should also be extremely routine to delete and recreate a container; it's required for some basic tasks like upgrading the image underneath a container to a newer version or changing published ports or environment variables.
docker exec probably shouldn't be part of your core workflow, any more than you'd open a shell to interact with your Web browser. I generally don't tend to docker stop containers, except to immediately docker rm them.
$ docker run --rm -it busybox
/ # who
<empty>
In the next session I'm trying to attach to this docker container and expecting second user will appear, but no luck again:
$ docker attach `docker container ls | grep busybox | cut -d" " -f1`
/ # who
<empty again>
So the question is - why there are no logons happened not by first run-and-attach, not by consequent attaches? And why there is no even a single logon into this container?
who reads the list of users from /var/run/utmp. On a regular Linux system, the login program prompts for the username and password and then starts the user's shell. It also updates /var/run/utmp with the new user.
The same thing happens for SSH and Telnet servers. They are expected to update /var/run/utmp.
In a Docker container, login is usually not executed. Docker isolates resources from the host system with Linux Namespaces, it does not provide a complete Linux system. When you enter a Docker container, the given entrypoint or command is executed with PID 1.
Subsequent docker exec calls are handled in a similar way. Docker enters the namespace of the container and executes the given command.
EDIT: after some reading I see Alexander answer as more to the point. Couple of useful links I've read along that way:
https://docs.docker.com/engine/security/security/
https://lwn.net/Articles/531114
As far as I understand busybox docker container is very basic and does not support all functionality of full-fledged Linux.
Here I thought I understood Docker until I saw the BusyBox docker image there is a discussion about what that image is and what it is for.
I currently use docker for my backend, and when I first start them up with
docker-compose up
I get log outputs of all 4 dockers at once, so I can see how they are interacting with each other when a request comes in. Looking like this, one request going from nginx to couchdb
The issue is now that I am running on GCE with load balancing, when a new VM spins up, it auto starts the dockers and runs normally, I would like to be able to access a load balanced VM and view the live logs, but I can not get docker to allow me this style, when I use logs, it gives me normal all white font with no label of where it came from.
Using
docker events
does nothing, it won't return any info.
tldr; what is the best way to obtain a view, same as the log output you get when running "docker-compose up"
If using docker-compose, you use
docker-compose logs --tail=0 --follow
instead of
docker logs --tail=0 --follow
This will get the output I was originally looking for.
You can see the logs for all running containers with
docker ps -q | xargs -L 1 docker logs
In theory this might work for the --follow too if xargs is ran with -P <count>, where the count is higher than the number of running containers.
I use a variation of this to live tail (--follow) all logs and indicate which log is tailing at the time. This bash includes both stdout and stderr. Note you may need to purge the /tmp dir of *.{log,err} afterwards.
for c in $(docker ps -a --format="{{.Names}}")
do
docker logs -f $c > /tmp/$c.log 2> /tmp/$c.err &
done
tail -f /tmp/*.{log,err}
Hope this helps. Logging has become so problematic these days, and other get-off-my-lawn old man rants...
Try "watch"
Here's a quick and dirty multitail/xtail for docker containers.
watch 'docker ps --format "{{.Names}}" | sort | xargs --verbose --max-args=1 -- docker logs --tail=8 --timestamps'
How this works:
watch to run every few seconds
docker ps --format "{{.Names}}" to get the names of all running containers
sort to sort them
xargs to give these names to docker logs:
docker logs to print the actual logs
Adjust parameter "--tail=8" as needed so that everything still fits on one screen.
The "xargs" methods listed above (in another user's answer) will stop working as containers are stopped and restarted. This "watch" method here does not have that problem. (But it's not great either.)
If you are using Docker Swarm, you can find your services by
docker service ls
Grap the id, and then run
docker service logs $ID -f
if the service is defined with tty: true, then you must run with the --raw flag. Notice, this wont tell you which container is giving the outputted log entry.
Running the docker registry with below command always throws an error:
dev:tmp me$ docker run \
-d --name registry-v1 \
-e SETTINGS_FLAVOR=local \
-e STORAGE_PATH=/registry \
-e SEARCH_BACKEND=sqlalchemy \
-e LOGLEVEL=DEBUG \
-p 5000:5000 \
registry:0.9.1
Error response from daemon: Conflict. The name "registry-v1" is already in use by container f9e5798a82e0. You have to delete (or rename) that container to be able to reuse that name.
How can I prevent this error ?
I got confused by this also. There are two commands relevant here:
docker run # Run a command in a **new** container
docker start # Start one or more stopped containers
That means you have already started a container in the past with the parameter
docker run --name registry-v1 ...
You need to delete that first before you can re-create a container with the same name with
docker rm registry-v1
When that container is sill running you need to stop it first before you can delete it with
docker stop registry-v1
Or simply choose a different name for the new container.
To get a list of existing containers and their names simply invoke
docker ps -a
Here what i did, it works fine.
step 1:(it lists docker container with its name)
docker ps -a
step 2:
docker rm name_of_the_docker_container
When you are building a new image you often want to run a new container each time and with the same name. I found the easiest way was to start the container with the --rm option:
--rm Automatically remove the container when it exits
e.g.
docker run --name my-micro-service --rm <image>
Sadly it's used almost randomly in the examples from the docs
Edit: Read Lepe's comment below.
Just to explain what others are saying (it took me some time to understand) is that, simply put, when you see this error, it means you already have a container and what you have to do is run it. While intuitively docker run is supposed to run it, it doesn't. The command docker run is used to only START a container for the very first time. To run an existing container what you need is docker start $container-name. So much for asking developers to create meaningful/intuitive commands.
You have 2 options to fix this...
Remove previous container using that name, with the command docker rm $(docker ps -aq --filter name=myContainerName)
OR
Rename current container to a different name i.e change this portion --name registry-v1 to something like --name myAnotherContainerName
You are getting this error because that container name ( i.e registry-v1) was used by another container in the past...even though that container may have exited i.e (currently not in use).
Cause
A container with the same name is still existing.
Solution
To reuse the same container name, delete the existing container by:
docker rm <container name>
Explanation
Containers can exist in following states, during which the container name can't be used for another container:
created
restarting
running
paused
exited
dead
You can see containers in running state by using :
docker ps
To show containers in all states and find out if a container name is taken, use:
docker ps -a
Here is how I solved this on ubuntu 18:
$ sudo docker ps -a
copy the container ID
For each container do:
$ sudo docker stop container_ID
$ sudo docker rm container_ID
removing all the exited containers
docker rm $(docker ps -a -f status=exited -q)
The Problem: you trying to create new container while in background container with same name is running and this situation causes conflicts.
The error would be like:
Cannot create continer for service X :Conflict. The name X is already in use by container abc123xyz. You have to remove ot delete (or rename) that container to be able to reuse that name.
Solution rename the service name in docker-compose.yml or delete the running container and rebuild it again (this solution related to Unix/Linux/macOS systems):
get all running containers sudo docker ps -a
get the specific container id
stop and remove the duplicated container / force remove it
sudo docker stop <container_id>
sudo docker rm <container_id>
or
sudo docker rm --force <container_id>
You can remove it with command sudo docker rm YOUR_CONTAINER_ID, then run a new container with sudo docker run ...;
or restart an existing container with sudo docker start YOUR_CONTAINER_ID
I was running into this issue that when I run docker rm (which usually works) I would get:
Error: No such image
The easiest solution to this is removing all stopped containers by running:
docker container prune
I have solved the issue by doing following steps and I hope it helps.
Type docker ps -a to list all the containers in your system.
Check the NAMES part where you have initialized your docker container.
Then type docker rm --force name_of_container
Install the docker container as you wish.
I had problem using NIFI and I have removed and reinstalled using docker. Good luck.
TL:DR;
List all containers:
docker ps -a
Remove the concerned container by id:
docker container rm <container_id>
The OP's problem is the error. Deleting state isn't the only solution - or even a good one. The problem is docker run isn't re-entrant, and docker start is impotent w/o run. So we have to combine them.
For example to run Postgres w/o destroying previous state, try this:
docker start postgres || docker run -d -p 5432:5432 --name postgres -e POSTGRES_PASSWORD=password postgres:13-alpine
I'm just learning docker and this got me as well. I stopped the container with that name already and therefore I thought I could run a new container with that name.
Not the case. Just because the container is stopped, doesn't mean it can't be started again, and it keeps all the same parameters that it was created with (including the name).
when I ran docker ps -a that's when I saw all the dummy test containers I created while I was playing around.
No problem, since I don't want those any more I just did docker rm containername at which point my new container was allowed to run with the old name.
Ah, and now that I finish writing this answer, I see Slawosz's comment on Walt Howard's answer above suggesting the use of docker ps -a
Ok, so I didn't understand either, then I left my pc, went to do other things, and upon my return, it clicked :D
You download a docker image file. docker pull *image-name* will just pull the image from docker hub without running it.
Now, you use docker run, and give it a name (e.g. newWebServer).
docker run -d -p 8080:8080 -v volume --name newWebServer image-name/version
You perhaps only need docker run --name *name* *image*, but the other stuff will become useful quickly.
-d (detached) - means the container will exit when the root process used to run the container exits.
-p (port) - specify the container port and the host port. Kind of the internal and external port. The internal one being the port the container uses, and the external one is the port you use outside of it and probably the one you need to put in your web browser if that's how you access your app.
--name (what you want to call this instance of the container) - you could have several instances of the same container all with different names, which is useful when you're trying to test something.
image-name/version is the actual image you want to create the container from. You can see a list of all the images on your system with docker images -a. You may have more than one version, so make sure you choose the correct one/tag.
-v (volume) - perhaps not needed initially, but soon you'll want to persist data after your container exits.
OK. So now, docker run just created a container from your image. If it isn't running, you can now start it with it's name:
docker start newWebServer
You can check all your containers (they may or may not be running) with
docker ps -a
You can stop and start them (or pause them) with their name or the container id (or just the first few characters of it) from the CONTAINER ID column e.g:
docker stop newWebServer
docker start c3028a89462c
And list all your images, with
docker images -a
In a nutshell, download an image; docker run creates a container from it; start it with docker start (name or container id); stop it with docker stop (name or container id).
I had this issue because I had two or more containers with the same container_name in the docker-compose.yml file.
Simple Solution: Goto your docker folder in the system and delete .raw file or docker archive with large size.
For me, the issue was that I used an image name more than once in the dockerfile.
This happened to me on the docker tutorial! The port I tried to use was taken, but docker still created.. an image? A process to run docker? I'll find out soon. Anyways, to choose a different port, I had to remove the older image, and then docker run again.
Sometimes a tutorial can be too terse. What you want is concise, not terse, or even succinct.