Use lower privileged user to limit risk in the case of a container breakout

jshimko / meteor-launchpad

A base Docker image for Meteor applications.

https://hub.docker.com/r/jshimko/meteor-launchpad/

MIT License

276 stars 152 forks source link

Use lower privileged user to limit risk in the case of a container breakout #4

Closed rhyslbw closed 7 years ago

rhyslbw commented 7 years ago

This is the first of some improvement PRs based on the following post:

https://nodesource.com/blog/8-protips-to-start-killing-it-when-dockerizing-node-js/

By default, the applications process inside a Docker container runs as a “root” user. This can pose a potentially serious security risk when running in production. There have been several documented cases of container “breakouts," where an application inside a container is able to escape and make changes in the host’s environment because it has root access.

Seems to be good practice across all environments, not just production, so have included this in the base Dockerfile

jshimko commented 7 years ago

Thanks for the contribution! I ended up implementing these updates with gosu, so I don't need these changes anymore. But thanks for nudging me to finally get this taken care of!

Also, now that the app is being run by a non-root user, it can no longer run on port 80. So it now listens on port 3000 by default. The simple fix for that is you can map the ports when you docker run the image with -p 80:3000 (which is -p HOST:CONTAINER). Or better yet, you can (and probably should) put a reverse proxy like Nginx in front of the app.

Thanks again!