Which system user account(s) should Discourse spawned processes run as?

Hi there, I’m trying to figure out why and how some of the processes that Discourse spawns are running under my non-root normal Linux user account:

I’m currently running Discourse on top of Clear Linux, so it’s not quite a standard base system, but I’ve seen the same behavior with a Discourse installation on Debian too. In the current system I SSH’ed in with my rahim12 user account and did a sudo su before installing and configuring everything relating to the Discourse container. And in my previous tests on Debian I SSH’ed into the system directly as root . So is it normal for some processes like the Unicorn workers to be running under my normal user account, and how did they know to use it? Do they automatically get launched under the Linux UID of 1000 ?

It’s a quirk of how Docker works.

The discourse user inside the container has UID 1000, so if you look at the process list outside the container it will show whatever user is UID 1000.

In my case, it would show them as claudia as that’s the username all my servers use for UID 1000.

6 Likes

Ahh, interesting, so the host OS is doing a lookup of the username for UID 1000 on the host but it actually belongs to a different UID 1000 inside the container?

1 Like

That’s correct.

And it actually has caught me out a few times because on one of my local dev servers I have a Docker container that has processes that run as UID 1001 (internal container username is WebDev) and on the host OS it shows an account that has been disabled since 2019 but needs to still exist for historical reasons.

3 Likes

Thanks a lot for explaining that, so that’s quite a strange quirk of Docker. As a conventional Linux admin accustomed to manually installing and configuring each and every component in the stack, I’m not entirely comfortable with the opaque containerization paradigm and its automagic setup scripts that pull in dependencies and configurations from a million different sources. But it’s hard to argue with the speed and reproducibility of deploying Discourse and also the Dockerized mail server I’m running, so I’m not complaining.

I probably should have mentioned that it’s a quirk of Docker because it’s a quirk of Linux Containers in general.

Essentially they’re similar to the *BSD jails, but actually much stricter in how they isolate things.

Personally, I’m not a fan of them, but I actually fully understand why Discourse uses Docker. The isolation actually makes it much more difficult for host changes to affect Discourse. In fact, except for a kernel update that broke Docker briefly awhile back, I’ve never had an upgrade of the host break Discourse. :slight_smile:

2 Likes