Skip to content
This repository was archived by the owner on Jan 23, 2020. It is now read-only.

Running the containers as non-root #198

Open
lucian29012018 opened this issue Jul 17, 2019 · 4 comments
Open

Running the containers as non-root #198

lucian29012018 opened this issue Jul 17, 2019 · 4 comments

Comments

@lucian29012018
Copy link

lucian29012018 commented Jul 17, 2019
edited
Loading

I’m trying to secure these containers and I want to run them as non-root. Is that possible? Has anyone tried that? Is there any known issue?
@paullj1
Copy link

paullj1 commented Jul 27, 2019

@lucian29012018, what do you mean "run them as non-root"? You can designate a non-root user be the one that executes commands in your container when you build it (using the "USER" directive), but until the 19.03 template comes out, the dockerd daemon must run as root since it interfaces directly with the kernel to ask for new namespaces. If you're talking about the CLI, you can always run that as a non-root user, as long as the user you're using has the permissions to talk to the Docker socket (/var/run/docker.sock by default). Typically people accomplish this by adding your user do the "docker" group.

@lucian29012018
Copy link
Author

Hi @paullj1, thanks for your suggestions. Just to clarify, these containers are set up to run as root. So once they are deployed and one has access to the respective machine, he/she can execute this command inside one of the containers to mount the entire file system and has access to it as root, as follows.

docker run -it -v /:/host bash chroot /host

In my understanding this is a security issue and I want to prevent it if possible. My idea was to use a non-privileged user inside the container and not allowing switching to root. For this I would need to create new Docker images based on these ones. Has anyone tried to secure these containers. Any suggestion how to do so?

@paullj1
Copy link

paullj1 commented Aug 6, 2019

So you’re talking about two different things. Creating containers should only be allowed by an admin for the reason you just pointed out. Protecting that socket file is important.

Once a user is inside the container, running as root isn’t as much of a problem (unless you mount the socket inside the container). Generally, a defense-in-depth strategy is adopted, and containers are built in such a way that the main process does not run as root, but that’s more of a precaution.

All of that said, if you want to allow an untrusted user to creat containers that do not allow them to take over the host, then there are ways you can do that. Sudo can allow users to run docker as root, but without the ability to map volumes or set the “privileged” flag. Another option you have is to (starting with 19.03) run the engine as a non-root user.

@lucian29012018
Copy link
Author

Thank you @paullj1, I'll take this into consideration.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paullj1 @lucian29012018