Skip to main content

Docker: Run as non root user

It's good practice to run processes within a container as a non-root user with restricted permissions.  Even though containers are isolated from the host operating system, they do share the same kernel as the host. Also, processes within a container should be prevented from writing to where they shouldn't be allowed to as extra protection against exploitation.

Running a Docker process as a non-root user has been a Docker feature as of version 1.10. To run a Docker process as a non-root user, permissions need to be accounted for meticulously.  This permission adjustment needs to be done when building a Dockerfile. You need to be aware of where in the filesystem your app might write to, and adjust the permissions accordingly.  Since everything in a container is considered disposable, the container process really shouldn't be writing to too many locations once build.

Here is an annotated example of how you might create a Dockerfile where the process that runs within runs as a user with restricted permissions.  This is just one example of how you can configure this.

Set your image an install a minimal set of OS dependencies as normal.

FROM ubuntu:16.04

RUN apt-get update && apt-get install -y build-essential git \
    python3-dev python3-venv \
    libpq-dev postgresql-client && rm -rf /var/lib/apt/lists/*

Create a user and a group that the application will run as. In this example, we create an "app" user and group.

RUN groupadd -r app && \
    useradd -r -g app -d /home/app -s /sbin/nologin -c "Docker image user" app

Next, create a base directory (SITE_DIR in this case) owned by that app user and group, and set the WORKDIR to that base directory.  This is where everything in the app will live, so everything will be owned by the app user. 

ENV SITE_DIR=/site/

RUN install -g app -o app -d ${SITE_DIR}

WORKDIR $SITE_DIR

Create sub directories needed for the application, also owned by the app user and group.

RUN install -g app -o app -d proj/ var/log/ htdocs/

The group sticky bit needs to be added to every directory in the base directory, so new files and directories will inherit the user and group of their parent directory.

RUN find ${SITE_DIR} -type d -exec chmod g+s {} \;

The group write permission should be set on every file and directory in the base directory.

RUN chmod -R g+w ${SITE_DIR}

Next, switch to the app user created, and subsequent commands will run as that user. We can create a virtualenv and install a packages into that virtualenv.  These installed packages will be owned by that app user.

USER app

RUN python3 -m venv env/
COPY requirements/base.txt requirements.txt


RUN env/bin/pip install -r requirements.txt


Then proceed with the rest of the Dockerfile install instructions as needed.

...
CMD ["./docker-utils/run.sh"]
ENTRYPOINT ["./docker-utils/entrypoint.sh"]

When running the container with Docker or docker-compose, the process executed as ENTRYPOINT and CMD will run as the user that you specified.


However, if you'd like to override the "USER" Dockerfile directive when running the container, you can pass in the --user parameter and provide a different username.

Examples:

    To override the default user when using docker-compose:
   
    docker-compose run --user root app  /bin/bash

    To override the default user when using Docker:

    docker run --user root -it 47b03692214d /bin/bash


Comments

Post a Comment

Popular posts from this blog

Django: Using Caching to Track Online Users

Recently I wanted a simple solution to track whether a user is online on a given Django site.  The definition of "online" on a site is kind of ambiguous, so I'll define that a user is considered to be online if they have made any request to the site in the last five minutes. I found that one approach is to use Django's caching framework to track when a user last accessed the site.  For example, upon each request, I can have a middleware set the current time as a cache value associated with a given user.  This allows us to store some basic information about logged-in user's online state without having to hit the database on each request and easily retrieve it by accessing the cache. My approach below.  Comments welcome. In settings.py: # add the middleware that you are about to create to settings MIDDLEWARE_CLASSES = ( .... 'middleware.activeuser_middleware.ActiveUserMiddleware' , .... ) # Setup caching per Django docs. In actuality, you

Automatic Maintenance Page for Nginx+Django app

If you've used Django with Nginx, you are probably familiar with how to configure the Nginx process group to reverse proxy to a second Gunicorn or uWSGI Django process group.  (The proxy_pass Nginx parameter passes traffic through Nginx to Django.) One benefit of this approach is that if your Django process crashes or if you are preforming an upgrade and take Django offline, Nginx can still be available to serve static content and offer some sort of "the system is down" message to users.  With just a few lines of configuration, Nginx can be set to automatically display a splash page in the above scenarios. If the Django process running behind the reverse proxy becomes unavailable, a 502 error will be emitted by Nginx.  By default, that 502 will be returned to the browser as an ugly error message.  However, Nginx can be configured to catch that 502 error and respond with custom behavior.  Specifically, if a 502 is raised by Nginx, Nginx can check for a custom html erro