Running Docker Container as a Non Root User

When you run an application inside a Docker Container, by default it has access to all the root privileges. You might have noticed that when you open an Ubuntu Docker Container bash, you are logged in as the root user by default. This can prove to be a major security concern for your application. Any unauthorized access can compromise the entire container along with all the files and applications running inside it. Hence, it becomes very important to perform operations as a non-root user wherever possible.

In this article, we will discuss two methods to run Docker containers as a non-root user to enhance security and follow the principle of least privilege.

Method 1: Adding a User to the Docker Group

You can run Docker containers as a non-root user by adding users to the Docker group. This allows users to execute Docker commands without sudo.

Creating the Docker Group

First, create a Docker group using the following command −

sudo groupadd docker

If the Docker group already exists, you will see −

groupadd: group 'docker' already exists

Adding User to Docker Group

Add a non-root user to the Docker group −

sudo usermod -aG docker [non-root-user]

After adding the user, log out and log back in for the group membership to take effect. You can verify the group membership using −

groups $USER

Method 2: Using Dockerfile

A more robust solution is to specify user instructions directly in the Dockerfile. Docker allows you to create a user using the useradd command and then switch to that user using the USER instruction.

Example Dockerfile

# Pull the base image as Ubuntu
FROM ubuntu:latest

# Add a user with userid 8877 and name nonroot
RUN useradd -u 8877 nonroot

# Run Container as nonroot
USER nonroot

In the above Dockerfile −

• useradd -u 8877 nonroot creates a user named "nonroot" with user ID 8877

• USER nonroot switches the default user for subsequent instructions and container runtime

Building and Running the Container

Build the Docker image using the Dockerfile −

sudo docker build -t my-image .

Run the container with the non-root user −

sudo docker run -it my-image bash

Verify that you are logged in as a non-root user −

id

The output will show the user and group information for the "nonroot" user instead of root.

Security Best Practices

Running containers as non-root users provides several security benefits −

• Reduced attack surface − Limits potential damage from container escapes

• Principle of least privilege − Containers only get necessary permissions

• Compliance − Meets security standards for production deployments

Comparison of Methods

Conclusion

Running Docker containers as non-root users is a critical security practice that significantly reduces potential attack vectors. The Dockerfile method is generally preferred for production environments as it embeds security directly into the container image, ensuring consistent behavior across deployments.