Moreover, applications, databases, load balancers, etc. Docker needs to have enough permissions to modify the host filesystem to run otherwise, your container won't be initialized.īut containers don't need to be run as root user. Differences between root and non-root containersĪs is explained in the Docker security documentation, running containers and applications with Docker involves running the Docker daemon, and this requires root privileges. I will also show you an example of how Bitnami creates non-root containers by editing its Dockerfile to change its user permissions and environment variables. In this blog post, I will discuss root and non-root containers in more detail, exploring the difference between the two and the benefits and disadvantages of each. In our quest to continually deliver the latest, most up-to-date and secure applications, Bitnami produces and maintains a selection of non-root image containers - you can find them in our GitHub repository, tagged as "non-root". Doing so limits the processes that can be executed and who can execute them. And running a process in your container as root makes it possible to change the user id (UID) or group id (GID) when starting the container, which makes your application vulnerable.Ĭhanging the configuration of your containers to make them run as non-root adds an extra layer of security. Why? Because anyone who accesses your container running as root can start undesirable processes in it, such as injecting malicious code. This is really useful for development purposes, but can expose you to high risk once you put your containers into a production environment.
This allows for unrestricted container management, which means you can do things like install system packages, edit config files, bind privileged ports, etc.
As you probably already know, Docker containers typically run with root privileges by default.
0 kommentar(er)
