Running the containers as non-root

[lucian29012018]

I’m trying to secure these containers and I want to run them as non-root. Is that possible? Has anyone tried that? Is there any known issue?

[paullj1]

@lucian29012018, what do you mean "run them as non-root"? You can designate a non-root user be the one that executes commands in your container when you build it (using the "USER" directive), but until the 19.03 template comes out, the dockerd daemon must run as root since it interfaces directly with the kernel to ask for new namespaces. If you're talking about the CLI, you can always run that as a non-root user, as long as the user you're using has the permissions to talk to the Docker socket (/var/run/docker.sock by default). Typically people accomplish this by adding your user do the "docker" group.

[lucian29012018]

Hi @paullj1, thanks for your suggestions. Just to clarify, these containers are set up to run as root. So once they are deployed and one has access to the respective machine, he/she can execute this command inside one of the containers to mount the entire file system and has access to it as root, as follows.

docker run -it -v /:/host bash chroot /host

In my understanding this is a security issue and I want to prevent it if possible. My idea was to use a non-privileged user inside the container and not allowing switching to root. For this I would need to create new Docker images based on these ones. Has anyone tried to secure these containers. Any suggestion how to do so?

[paullj1]

So you’re talking about two different things. Creating containers should only be allowed by an admin for the reason you just pointed out. Protecting that socket file is important.

Once a user is inside the container, running as root isn’t as much of a problem (unless you mount the socket inside the container). Generally, a defense-in-depth strategy is adopted, and containers are built in such a way that the main process does not run as root, but that’s more of a precaution.

All of that said, if you want to allow an untrusted user to creat containers that do not allow them to take over the host, then there are ways you can do that. Sudo can allow users to run docker as root, but without the ability to map volumes or set the “privileged” flag. Another option you have is to (starting with 19.03) run the engine as a non-root user.

[lucian29012018]

Thank you @paullj1, I'll take this into consideration.