Running a Docker process as a non-root user has been a Docker feature as of version 1.10. To run a Docker process as a non-root user, permissions need to be accounted for meticulously. This permission adjustment needs to be done when building a Dockerfile. You need to be aware of where in the filesystem your app might write to, and adjust the permissions accordingly. Since everything in a container is considered disposable, the container process really shouldn't be writing to too many locations once build.
Here is an annotated example of how you might create a Dockerfile where the process that runs within runs as a user with restricted permissions. This is just one example of how you can configure this.
Set your image an install a minimal set of OS dependencies as normal.
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y build-essential git \
python3-dev python3-venv \
libpq-dev postgresql-client && rm -rf /var/lib/apt/lists/*
Create a user and a group that the application will run as. In this example, we create an "app" user and group.
RUN groupadd -r app && \
useradd -r -g app -d /home/app -s /sbin/nologin -c "Docker image user" app
Next, create a base directory (SITE_DIR in this case) owned by that app user and group, and set the WORKDIR to that base directory. This is where everything in the app will live, so everything will be owned by the app user.
RUN install -g app -o app -d ${SITE_DIR}
WORKDIR $SITE_DIR
Create sub directories needed for the application, also owned by the app user and group.
RUN install -g app -o app -d proj/ var/log/ htdocs/
The group sticky bit needs to be added to every directory in the base directory, so new files and directories will inherit the user and group of their parent directory.
RUN find ${SITE_DIR} -type d -exec chmod g+s {} \;
The group write permission should be set on every file and directory in the base directory.
RUN chmod -R g+w ${SITE_DIR}
Next, switch to the app user created, and subsequent commands will run as that user. We can create a virtualenv and install a packages into that virtualenv. These installed packages will be owned by that app user.
USER app
RUN python3 -m venv env/
COPY requirements/base.txt requirements.txt
RUN env/bin/pip install -r requirements.txt
Then proceed with the rest of the Dockerfile install instructions as needed.
...
CMD ["./docker-utils/run.sh"]
ENTRYPOINT ["./docker-utils/entrypoint.sh"]
When running the container with Docker or docker-compose, the process executed as ENTRYPOINT and CMD will run as the user that you specified.
Examples:
To override the default user when using docker-compose:
docker-compose run --user root app /bin/bash
To override the default user when using Docker:
docker run --user root -it 47b03692214d /bin/bash
No comments:
Post a Comment