Tuesday, January 16, 2018

How to enable docker image to run as non-root user

The principle of least authority is an important concept in computer security, promoting minimal user profile privileges on computers, based on users' job necessities. It can also be applied to processes on the computer; each system component or process should have the least authority necessary to perform its duties. This helps reduce the "attack surface" of the computer by eliminating unnecessary privileges that can result in network exploits and computer compromises.

Containers of most of the images available in the docker hub, by default, run as the root user. This is bad because:
1) You're more likely to modify up settings that you shouldn't be
2) If an attacker gets access to your container, that's bad if they're root.

Most containerized processes are application services and therefore don’t require root access. The docker daemon currently requires root privileges but containers themselves do not. Well written, secure and reusable Docker images should not expect to be run as root and should provide a predictable and easy method to limit access. To ensure this, some of the container orchestration frameworks force the docker container to run as non-root like OpenShift.



Here's how you can change a Docker container to run as a non-root user

FROM <base image> RUN groupadd -g 1009 appg && \ useradd -r -u 1009 -g appg appuser USER appuser ... <rest of Dockerfile> ...

No comments:

Post a Comment