Menu
Looking at this Dockerfile it stars with:
FROM sequenceiq/pam:centos-6.5 MAINTAINER SequenceIQ USER root Now that seems redundant, since by default you'd already be root. But for argument's sake - let's look at the parent Dockerfile....that doesn't change the user.
Now let's look at the grandparent Dockerfile. (It doesn't seem to be available).
My question is: Is it redundant in a Dockfile to run USER root since you're already root?
579
The Docker daemon always runs as the root user. If you don't want to preface the docker command with sudo , create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.
Running the container as root brings a lot of risks. Although being root inside the container is not the same as root on the host machine (some more details here) and you're able to deny a lot of capabilities during container startup, it is still the recommended approach to avoid being root .
Docker containers typically run with root as the default user. To share resources with different privileges, we may need to create additional users inside a Docker container. Here, we'll create a Dockerfile and add a new user.
Running containers as root is a bad idea for security. This has been shown time and time again. Hackers find new ways of escaping out of the container, and that grants unfettered access to the host or Kubernetes node.
Yes, it's redundant, but there's almost no downside to leaving this redundancy in. This may have been done to develop against other images, or to support uses that may swap out the base image. It could be done to prevent future issues if the upstream image changes it's behavior. Or they may just want to be explicit so it's clear this container needs to run commands as root.
64
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
