Skip to main content

Docker: Run as non root user

It's good practice to run processes within a container as a non-root user with restricted permissions.  Even though containers are isolated from the host operating system, they do share the same kernel as the host. Also, processes within a container should be prevented from writing to where they shouldn't be allowed to as extra protection against exploitation.

Running a Docker process as a non-root user has been a Docker feature as of version 1.10. To run a Docker process as a non-root user, permissions need to be accounted for meticulously.  This permission adjustment needs to be done when building a Dockerfile. You need to be aware of where in the filesystem your app might write to, and adjust the permissions accordingly.  Since everything in a container is considered disposable, the container process really shouldn't be writing to too many locations once build.

Here is an annotated example of how you might create a Dockerfile where the process that runs within runs as a user with restricted permissions.  This is just one example of how you can configure this.

Set your image an install a minimal set of OS dependencies as normal.

FROM ubuntu:16.04

RUN apt-get update && apt-get install -y build-essential git \
    python3-dev python3-venv \
    libpq-dev postgresql-client && rm -rf /var/lib/apt/lists/*

Create a user and a group that the application will run as. In this example, we create an "app" user and group.

RUN groupadd -r app && \
    useradd -r -g app -d /home/app -s /sbin/nologin -c "Docker image user" app

Next, create a base directory (SITE_DIR in this case) owned by that app user and group, and set the WORKDIR to that base directory.  This is where everything in the app will live, so everything will be owned by the app user. 


RUN install -g app -o app -d ${SITE_DIR}


Create sub directories needed for the application, also owned by the app user and group.

RUN install -g app -o app -d proj/ var/log/ htdocs/

The group sticky bit needs to be added to every directory in the base directory, so new files and directories will inherit the user and group of their parent directory.

RUN find ${SITE_DIR} -type d -exec chmod g+s {} \;

The group write permission should be set on every file and directory in the base directory.

RUN chmod -R g+w ${SITE_DIR}

Next, switch to the app user created, and subsequent commands will run as that user. We can create a virtualenv and install a packages into that virtualenv.  These installed packages will be owned by that app user.

USER app

RUN python3 -m venv env/
COPY requirements/base.txt requirements.txt

RUN env/bin/pip install -r requirements.txt

Then proceed with the rest of the Dockerfile install instructions as needed.

CMD ["./docker-utils/"]
ENTRYPOINT ["./docker-utils/"]

When running the container with Docker or docker-compose, the process executed as ENTRYPOINT and CMD will run as the user that you specified.

However, if you'd like to override the "USER" Dockerfile directive when running the container, you can pass in the --user parameter and provide a different username.


    To override the default user when using docker-compose:
    docker-compose run --user root app  /bin/bash

    To override the default user when using Docker:

    docker run --user root -it 47b03692214d /bin/bash


Popular posts from this blog

Django Docker and Celery

I've finally had the time to create a Django+Celery project that can be completely run using Docker and Docker Compose. I'd like to share some of the steps that helped me achieve this. I've created an example project that I've used to demo this process. The example project can be viewed here on Github.

To run this example, you will need to have a recent version of Docker and Docker Compose installed. I'm using Docker 17.03.1 and Docker Compose 1.11.2.

Let's take a look at one of the core files, the docker-compose.yml.   You'll notice that I have defined the following services:
db - the service running the Postgres database container, needed for the Django apprabbitmq - service running the RabbitMQ container, needed for queuing jobs submitted by Celeryapp - the service containing Django app containerworker - the service that runs the Celery worker containerweb - the service that runs the Nginx con…

Django Admin Override Save for Model

Sometimes it's nice to be able to add custom code to the save method of objects in the Django Admin.  So, when editing an object on the Admin object detail page (change form), adding the following method override to your ModelAdmin in will allow you to add custom code to the save function.

class MyModelAdmin(admin.ModelAdmin): def save_model(self, request, obj, form, change): # custom stuff here
This is documented in the Django Docs, but I found it particularly useful.

Django: Using Caching to Track Online Users

Recently I wanted a simple solution to track whether a user is online on a given Django site.  The definition of "online" on a site is kind of ambiguous, so I'll define that a user is considered to be online if they have made any request to the site in the last five minutes.

I found that one approach is to use Django's caching framework to track when a user last accessed the site.  For example, upon each request, I can have a middleware set the current time as a cache value associated with a given user.  This allows us to store some basic information about logged-in user's online state without having to hit the database on each request and easily retrieve it by accessing the cache.

My approach below.  Comments welcome.

# add the middleware that you are about to create to settings MIDDLEWARE_CLASSES = ( .... 'middleware.activeuser_middleware.ActiveUserMiddleware', .... ) # Setup caching per Django docs. In actuality, you'd p…