Launching Docker Container with Non-Root User
Launching a docker container with a non-root user rather than the default root user.
Docker has emerged as a pivotal tool with its flexibility and efficiency. One such aspect is utilising docker containers with non-root users which adds an extra protective layer towards security threats.
This article explores spinning up a docker container with a non-root user!!
Docker daemon runs with root privileges so when the container is launched, it bestows the root permission from the docker. To run docker as a non-root user, you must adopt either of the below methods.
With USER option of docker CLI.
Via docker file.
By adding the user to the docker group, will be able to launch the container without the default root user, because the docker daemon is running with the non-root user and so will be the container connected to the docker unix socket as well.
Install docker referring to the below link
Run docker without sudo using the below link
With USER option of docker CLI
When a container is launched, as shown below, it is running as a root user.
$ docker run -it ubuntu bash
root@0cf47dbacbf0:/# ls -lrt
total 48
drwxr-xr-x 2 root root 4096 Apr 18 2022 home
drwxr-xr-x 2 root root 4096 Apr 18 2022 boot
drwxr-xr-x 14 root root 4096 Dec 11 14:04 usr
drwxr-xr-x 2 root root 4096 Dec 11 14:04 srv
drwxr-xr-x 2 root root 4096 Dec 11 14:04 opt
drwxr-xr-x 2 root root 4096 Dec 11 14:04 mnt
drwxr-xr-x 2 root root 4096 Dec 11 14:04 media
drwxr-xr-x 11 root root 4096 Dec 11 14:08 var
drwxrwxrwt 2 root root 4096 Dec 11 14:08 tmp
drwx------ 2 root root 4096 Dec 11 14:08 root
drwxr-xr-x 5 root root 4096 Dec 11 14:08 run
drwxr-xr-x 1 root root 4096 Jan 5 12:06 etc
dr-xr-xr-x 13 root root 0 Jan 5 12:06 sys
dr-xr-xr-x 1226 root root 0 Jan 5 12:06 proc
drwxr-xr-x 5 root root 360 Jan 5 12:06 devWill use the -u option of the docker CLI to launch the container with the non-root user.
1. Populate the passwd and group files in the docker container
Now docker is running with the non-root user, it will also adapt the container to run with the same non-root user when populated with the passwd and group files in the docker container.
To adapt with the current non-root user will mount the below-created passwd and group files with the container.
$ echo $USER:x:$(id -u):$(id -g):$USER:$HOME:/bin/bash >> $(pwd)/passwd
$ echo $USER:x:$(id -g):$USER >> $(pwd)/group2. Using -u option in the command line
$ docker run -it -v $(pwd)/passwd:/etc/passwd \
-v $(pwd)/group:/etc/group -u $(id -u):$(id -g) ubuntu bash
fthurab@59d7f41c17d5:/$ pwd
/As seen above, now the container is launched with the user “fthurab” rather than the default root user by passing the -u or -user option via command line
Via dockerfile
By passing the USER instruction in the dockerfile.
In the below dockerfile, will pass the USER instruction and launch a container with a non-root user.
# from base image Ubuntu
FROM ubuntu
# Adding a new user "fthurab" with user id 0011
RUN useradd -u 0011 fthurab
# Changing container user to non-root user "fthurab"
USER johnWill build the dockerfile and launch a container.
$ docker build -t ubuntu -f dockerfile .
$ docker run -it ubuntu bash
fthurab@7cf4b430fc48:/$ exit
exitAs seen above, now the container is launched with the user “fthurab” rather than the default root user using dockerfile.
Take away!
Spin up a docker container which has a non-root user rather than the default user which enhances the security layer of the container without compromising the dependability of the docker.
Thanks for Reading!!
If you find the article helpful please hit the clap and follow me on medium.
