9

After reading some articles I'm still not sure about what user I should use to run a docker container. Are there any security concerns when running a docker container as root user? Is it ok to run docker containers as root user OR should I use my normal user, add him to the "docker" group and then run my containers OR should I create an additional user only for managing/creating docker containers?

root@myDockerHost:/opt/myDockerContainer# docker-compose up -d

VS

chris@myDockerHost:/opt/myDockerContainer# docker-compose up -d

VS

dockerusr@myDockerHost:/opt/myDockerContainer# docker-compose up -d

(I'm talking about the users on my docker host - not the user inside a container!)

r00tusr
  • 161
  • 1
  • 1
  • 5

3 Answers3

4

r00tusr!

I vote for always running containers as regular users.

In a production system your containers won't be run as root. Even in non-production systems, the users who run your container might not be allowed to run programs as root.

So I like to make them work properly as an unprivileged user, even when it's difficult.

Also, there's the security consideration. The general rule professional sysadmins follow is never to run something as root unless it really, really must. Once a program is running as root, it has full control of the computer and can do anything to that computer that it is told to do. Whether that be the good works the author intended or nefarious works by a neer-do-well who cracks into the author's program through a vulnerability that author didn't think to close.

Since we've finally learned that we really, truly cannot predict which programs have flaws, we just don't take chances anymore.

Thanks! Mike

Mike Diehn
  • 859
  • 4
  • 8
2

It makes little difference. The docker-compose command connects to the docker.sock, aka docker's API, to run all container commands. By default, this API is only accessible to the root user on linux, so you often see people running commands with sudo.

You can configure docker to allow non-root users to access this API, just be sure you trust these users with root access on your host, since the API gives that level of access. See this answer for details on how to give users this access. The dockerd daemon is typically configured to run as root, the user accessing this API makes little difference (there is rootless mode currently in experimental).

The important detail is to run applications inside of your container as a non-root user. It's the equivalent of systemd running as root and launching a program as a non-root user. You configure this user in the Dockerfile, docker-compose.yml, or your docker run -u CLI.

The reason I say "little difference" is that a compose file can configure host mounts that have a relative path. If you run docker-compose command as root or a different user, those host mounts may be a different path, and the files may be owned by a different UID, that may or may not map to the UID of your application inside the container. Beyond that, I can't think of any difference between running docker-compose as a user or root.

BMitch
  • 5,189
  • 1
  • 21
  • 30
0

In addition to the @BMitch's answer.

The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.

If you don’t want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

The docker group grants privileges equivalent to the root user...

sudo groupadd docker;
sudo usermod -aG docker "$USER";

Source: https://docs.docker.com/engine/install/linux-postinstall [modified]

Related:
https://docs.docker.com/engine/security/#docker-daemon-attack-surface (Docker Daemon Attack Surface...)
https://docs.docker.com/engine/security/rootless (Run the Docker daemon as a non-root user (Rootless mode)...)

Faither
  • 101
  • 5