Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Run docker as root verus non-root

Tags:

docker

dockerfile

Get confusing about "run docker as non-root vs root user".

First question (run as non-root user): based on Post-installation steps for Linux, to run docker as non-root, we create the docker group and add the user to it. Yet the article claims "The docker group grants privileges equivalent to the root user". So if I understand this sentence correctly, we don't run the docker as root, but we run it as a user(in docker group) who is as powerful as root?

Second question (run as root user): assume I followed the steps above (create docker group and add user to it). Yet I specify "USER root" in a Dockerfile (example below). When I run this container, it will run as root regardless of the setting above, correct?

FROM debian:stretch
USER root
CMD["echo", "hello"]
like image 209
batilei Avatar asked Jan 27 '23 22:01

batilei

1 Answers

The docker group grants privileges equivalent to the root user

By default yes. This is also true for any user that can run a docker container on the machine.

The reason is that by default when you are running as root inside the container, this will map to root on the host machine. Thus you can bind some sensitive folders from the host onto the container, and execute privileged actions on those mounts since the user inside the container is root (pid 0).

The solution for that is to enable the user-namespace that basically would map the root user inside the container into a non-root user on the machine.

Second question (run as root user): assume I followed the steps above (create docker group and add user to it). Yet I specify "USER root" in a Dockerfile (example below). When I run this container, it will run as root regardless of the setting above, correct?

There are several points here:

  • By default, USER root is the default, so you don't have to specify it. (Unless the base image explicitly sets a user other than root)
  • From the perspective of the host machine, a docker container is just a normal process. Every process has an owner. This owner is the host machine user that executed the docker runcommand. The USER root instruction has nothing to do with this owner. The USER instruction only specifies the user inside the container that will start the process inside the container that is different from the owner of the container.
like image 137
yamenk Avatar answered Jan 30 '23 13:01

yamenk
Sign in to Comment

Related questions

Unable connect to docker container outside docker host
zombies inside of docker
Workers unable to connect to Swarm on AWS EC2
Docker service start after server restart
Docker daemon.json logging config not effective
Docker containers serving different subdomains on port 80
How do I temporarily disable the wincred provider for docker login?
Multi-Line Rscript in Dockerfile
Connect to remote docker host / deploy a stack
Docker daemon not running in Docker toolbox
deploy stack to remote swarm
kubernetes: api-server and controller-manager cant start
VSTS docker task failed on '&&' token in docker RUN command
Advantages of dockerizing Java Springboot application?
How to connect MongoDB docker by Studio 3T?
Can't create docker network: could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network
Can I "rehydrate" a docker build cache from a remote container repository?
Dockerizing a React App: The app starts inside the container, but it not accessible from the exposed port
VueJS & Webpack: ENV var unaccessible from built project
can't connect to redis through node app, both in dockers

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!