Running Docker container as Root user

Question

Running a Docker container process as root inside the container is considered insecure. But I have some doubts that I need to clear:

1. Is it still the same kind of insecure even if the container cannot mount the docker socket or any part of the root file system from the host?

2. Is it still the same insecure if there is a one-to-one mapping of a container and virtual machine? For example, you are running just one container per VM?

3. Is it still insecure if the container is not running as privileged?

4. What's the difference between running as root and as privileged?

Apart from the above, is there some simple way to fake root? How can we map the user id 0 to be something like a bigger number 1001 on the host?

Answer 1

Answering your questions:

1. No is not the same. If you don't set on a container access to docker socket, that means the container will not be able to create, check, delete or other actions on host docker containers, that's all. But in the container the root user can still "break" its software.

2. Running only one container per Virtual machine means that if somebody hack your container and escape from it in someway, it will access only to your VM. It could be a good practice but excessive in my opinion. You can create containers on different networks to isolate them although in this way if they escape they will access to all containers.

3. To run containers "not privileged" is more secure than to run them as "privileged". That's obvious.

4. To run container as root means the processes in the container will be with all the privileges in the container. To run container as privileged means that container will have all the privileges even on the host. This is usually done in some special cases... let's suppose you have a container that needs access to physical wireless network interface on host. For sure that will be needed to be launched as privileged or the container will have no access to the device.

Hope it helps.