When you run an application inside a Docker Container, by default it has access to all the root privileges. You might have noticed that when you open an Ubuntu Docker Container Bash, you are logged in as the root user by default. This can prove to be a major concern in terms of security of the application. Any outsider can misuse this and hack the entire Container along with all the other files and applications running inside the Docker Container. Hence, it becomes very important to perform most of the trivial operations as a non root user wherever possible.
In this article, we will be discussing two methods to access the Docker Container as a Non Root User.
Adding a User to the Docker Group
You can try to run Docker Containers as a Non Root User by adding Users to the Docker Group. If there is no Docker group, you can always create one.
You can create a Docker Group using the following command.
sudo groupadd docker
If there is already a Docker group in your local machine, the output of the below command would be −
groupadd: group 'docker' already exists
After you have created the Docker Group, you can now add Non Root Users using the following command.
sudo usermod −aG docker [non−root user]
To verify the group membership, you need to re−login to your Docker.
Another simpler solution to access a Docker Container using Non Root User, is to specify the instructions in the Dockerfile. Docker allows you to add the User using the −u flag along with the useradd command and then using the USER instruction, you can decide which user you want to be logged in as when you start the Docker Container.
Look at the Dockerfile below.
#Pull the base image as Ubuntu FROM ubuntu:latest #Add a user with userid 8877 and name nonroot RUN useradd −u 8877 nonroot #Run Container as nonroot USER nonroot
In the above Dockerfile, Ubuntu is the base Docker Image pulled from the Docker registry. The useradd command along with the -u flag adds a user with the specified name and Id using the Docker RUN instruction. The USER instruction is used to specify which user to be logged in while running the Docker Container associated with the image.
To build the Docker Image using the above Dockerfile, you can use the following Docker Build command.
sudo docker build −t my−image .
Run the Docker Container associated with the Docker Image.
sudo docker run −it my−image bash
This opens the bash of the ubuntu Container. To verify that you have been logged in as a non−root user, you can use the id command.
You will find that the Docker Container’s user and group are now changed to the Non−Root user that you had specified in the Dockerfile.
Majority of the Docker Users either forget or don’t find it necessary to change their user privileges and switch to Non Root user. It is a bad practice and always poses a threat when the application is deployed and made public. Not only it poses a threat to that particular application, but also through the application, hackers can manipulate the entire filesystem of the Docker Container inside which the application is running along with other important applications that might be deployed inside the same Docker Container.
In this article, we saw two different methods through which you can switch the current user as a non root user. The process discussed in Method 2 is better and widely used due to the fact that almost all the Docker applications require a Dockerfile to maintain the Container and using two simple additional statements, you can make the switch.