It's good practice to run processes within a container as a non-root user with restricted permissions. Even though containers are isolated from the host operating system, they do share the same kernel as the host. Also, processes within a container should be prevented from writing to where they shouldn't be allowed to as extra protection against exploitation.
Running a Docker process as a non-root user has been a Docker feature as of version 1.10. To run a Docker process as a non-root user, permissions need to be accounted for meticulously. This permission adjustment needs to be done when building a Dockerfile. You need to be aware of where in the filesystem your app might write to, and adjust the permissions accordingly. Since everything in a container is considered disposable, the container process really shouldn't be writing to too many locations once build.
Here is an annotated example of how you might create a Dockerfile where the process that runs within runs as a user with restricted permissions. This is just one example of how you can configure this.
Set your image an install a minimal set of OS dependencies as normal.
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y build-essential git \
python3-dev python3-venv \
libpq-dev postgresql-client && rm -rf /var/lib/apt/lists/*
Create a user and a group that the application will run as. In this example, we create an "app" user and group.
RUN groupadd -r app && \
useradd -r -g app -d /home/app -s /sbin/nologin -c "Docker image user" app
Next, create a base directory (SITE_DIR in this case) owned by that app user and group, and set the WORKDIR to that base directory. This is where everything in the app will live, so everything will be owned by the app user.
ENV SITE_DIR=/site/
RUN install -g app -o app -d ${SITE_DIR}
WORKDIR $SITE_DIR
Create sub directories needed for the application, also owned by the app user and group.
RUN install -g app -o app -d proj/ var/log/ htdocs/
The group sticky bit needs to be added to every directory in the base directory, so new files and directories will inherit the user and group of their parent directory.
RUN find ${SITE_DIR} -type d -exec chmod g+s {} \;
The group write permission should be set on every file and directory in the base directory.
RUN chmod -R g+w ${SITE_DIR}
Next, switch to the app user created, and subsequent commands will run as that user. We can create a virtualenv and install a packages into that virtualenv. These installed packages will be owned by that app user.
USER app
RUN python3 -m venv env/
COPY requirements/base.txt requirements.txt
RUN env/bin/pip install -r requirements.txt
Then proceed with the rest of the Dockerfile install instructions as needed.
...
CMD ["./docker-utils/run.sh"]
ENTRYPOINT ["./docker-utils/entrypoint.sh"]
When running the container with Docker or docker-compose, the process executed as ENTRYPOINT and CMD will run as the user that you specified.
However, if you'd like to override the "USER" Dockerfile directive when running the container, you can pass in the --user parameter and provide a different username.
Examples:
To override the default user when using docker-compose:
docker-compose run --user root app /bin/bash
To override the default user when using Docker:
docker run --user root -it 47b03692214d /bin/bash
Running a Docker process as a non-root user has been a Docker feature as of version 1.10. To run a Docker process as a non-root user, permissions need to be accounted for meticulously. This permission adjustment needs to be done when building a Dockerfile. You need to be aware of where in the filesystem your app might write to, and adjust the permissions accordingly. Since everything in a container is considered disposable, the container process really shouldn't be writing to too many locations once build.
Here is an annotated example of how you might create a Dockerfile where the process that runs within runs as a user with restricted permissions. This is just one example of how you can configure this.
Set your image an install a minimal set of OS dependencies as normal.
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y build-essential git \
python3-dev python3-venv \
libpq-dev postgresql-client && rm -rf /var/lib/apt/lists/*
Create a user and a group that the application will run as. In this example, we create an "app" user and group.
RUN groupadd -r app && \
useradd -r -g app -d /home/app -s /sbin/nologin -c "Docker image user" app
Next, create a base directory (SITE_DIR in this case) owned by that app user and group, and set the WORKDIR to that base directory. This is where everything in the app will live, so everything will be owned by the app user.
RUN install -g app -o app -d ${SITE_DIR}
WORKDIR $SITE_DIR
Create sub directories needed for the application, also owned by the app user and group.
RUN install -g app -o app -d proj/ var/log/ htdocs/
The group sticky bit needs to be added to every directory in the base directory, so new files and directories will inherit the user and group of their parent directory.
RUN find ${SITE_DIR} -type d -exec chmod g+s {} \;
The group write permission should be set on every file and directory in the base directory.
RUN chmod -R g+w ${SITE_DIR}
Next, switch to the app user created, and subsequent commands will run as that user. We can create a virtualenv and install a packages into that virtualenv. These installed packages will be owned by that app user.
USER app
RUN python3 -m venv env/
COPY requirements/base.txt requirements.txt
RUN env/bin/pip install -r requirements.txt
Then proceed with the rest of the Dockerfile install instructions as needed.
...
CMD ["./docker-utils/run.sh"]
ENTRYPOINT ["./docker-utils/entrypoint.sh"]
When running the container with Docker or docker-compose, the process executed as ENTRYPOINT and CMD will run as the user that you specified.
Examples:
To override the default user when using docker-compose:
docker-compose run --user root app /bin/bash
To override the default user when using Docker:
docker run --user root -it 47b03692214d /bin/bash
Comments
Post a Comment