{"id":478,"date":"2024-10-07T14:47:41","date_gmt":"2024-10-07T14:47:41","guid":{"rendered":"https:\/\/blog.ngocha.biz\/?p=478"},"modified":"2024-10-07T14:47:41","modified_gmt":"2024-10-07T14:47:41","slug":"run-docker-containers-as-non-root-user","status":"publish","type":"post","link":"https:\/\/blog.ngocha.biz\/?p=478","title":{"rendered":"How to Run Docker Containers as Non-Root User?"},"content":{"rendered":"

In this blog, I have explained detailed steps to run Docker<\/a> containers as non-root user by creating a custom user in the Dockerfile.<\/p>

What is a Non-Root User?<\/h2>

A non-root user is a standard user with limited permissions on system resources. They have no privileges other than the permissions given to them.<\/p>

For example, unlike a root user, a non-root user cannot create, modify, or delete files and folders in another user’s home directory once they have permission on their home directory.<\/p>

By default, the non-root users cannot use sudo<\/code> , but can be configured to use sudo<\/code> for specific commands.<\/p>

Running Applications with Non-Root User<\/h2>

Before we look at the hands-on example, let’s understand the requirements and configurations for running applications inside the container using a non-root user.<\/p>

When we say applications, it could be Java, Node.js, Ruby, Python, etc<\/p>

One key thing to remember is the non-root user should have access to the application code <\/strong>and related files. It is similar to running an application as a non-root user in a Linux system.<\/p>

For example, let’s say you want to run a Java application in a Docker container and the Java application code and related configurations will be placed in the \/app<\/code> directory.<\/p>

In this case, the non-root user you create should have the necessary read\/write permissions to the app<\/strong> directly.<\/p>

The non-root user will not have any other privileged access to system-related files unless you specifically add permissions.<\/p>

Now that we understand the basics, let’s look at a practical hands-on example of creating a Docker image with a non-root user.<\/p>

Create a Docker Image with a Non-Root User<\/h2>

To demonstrate non-root users, we will create a Nginx Docker image<\/a> from scratch.<\/p>

We will create a Dockerfile <\/a>with a custom non-root user and add the necessary permissions for that user to run the Nginx service in the container.<\/p>

Create a Dockerfile<\/code> and copy the below Dockerfile content<\/p>

FROM nginx:alpine\n\nRUN addgroup -g 1001 -S nginxgroup && adduser -u 1001 -S -G nginxgroup nginxuser\n\nRUN mkdir -p \/var\/run\/nginx \/var\/cache\/nginx\/client_temp \/var\/cache\/nginx\/proxy_temp \/var\/cache\/nginx\/fastcgi_temp \/var\/cache\/nginx\/scgi_temp \/var\/cache\/nginx\/uwsgi_temp \\\n    && chown -R nginxuser:nginxgroup \/run \/var\/cache\/nginx \/var\/run\/nginx \/var\/log\/nginx \/etc\/nginx \/usr\/share\/nginx\/html\n\nRUN sed -i 's\/listen       80;\/listen       8080;\/g' \/etc\/nginx\/conf.d\/default.conf\nRUN sed -i 's\/\\\/var\\\/run\\\/nginx.pid\/\\\/var\\\/run\\\/nginx\\\/nginx.pid\/g' \/etc\/nginx\/nginx.conf\n\nUSER nginxuser\n\nEXPOSE 8080\n\nCMD [\"nginx\", \"-g\", \"daemon off;\"]<\/code><\/pre>
Let’s understand this Dockerfile and the key configurations involved in creating a non-root user.<\/p>\n\n
    \n
  1. This Dockerfile uses nginx<\/strong> as the base image.<\/li>\n\n\n
  2. It creates a group nginxgroup<\/code> with GID 1001<\/code><\/strong> and a user nginxuser<\/code> with UID 1001<\/code><\/strong> and give the non-root user ownership of Nginx directories. Creating user and group with IDs is particularly useful when you run this image on Kubernetes<\/a>. By explicitly setting the UID and GID in the Docker image, you can align these IDs with the securityContext<\/strong><\/code> settings in Kubernetes.<\/li>\n\n\n
  3. Then, it creates the required temporary directories for Nginx and assigns them to the non-root user so that Nginx can write its data on the required directories.<\/li>\n\n\n
  4. For example, the \/var\/cache\/nginx\/client_temp<\/code><\/strong> directory stores<\/span> temporary HTTP request data sent and received by Nginx. \/var\/run\/nginx<\/code> <\/strong>will hold the PID created by Nignx during its startup (explained in step 6) .<\/li>\n\n\n
  5. The SED command changes Nginx to listen on port 8080<\/code><\/strong> because the ports below 1024<\/code><\/strong> are privileged ports<\/strong>, which means only users with root permission can use them by default. <\/li>\n\n\n
  6. During startup, Nginx writes its PID to \/var\/run<\/strong> <\/code>directory by default. The second SED command chan<\/span>ges the PID file location to \/var\/run\/nginx<\/code><\/strong> because the non-root user has no permission on the\/var\/run<\/code><\/strong> directory. By creating and changing \/var\/run\/nginx<\/code><\/strong> directory permission to a non-root user, Nginx can save the PID file in it.<\/li>\n\n\n
  7. Then, it switches the user to a non-root user nginxuser<\/strong><\/code> because if we don’t switch to the non-user, it will run as a root user by default.<\/li>\n\n\n
  8. And it exposes port 8080<\/strong><\/code> for external access.<\/li>\n\n\n
  9. Finally, the CMD<\/code> command tells Docker to start Nginx in the foreground. It daemon off<\/code> keeps Nginx running and makes sure it doesn\u2019t go into the background, which would cause the container to stop.<\/li>\n<\/ol>\n\n
    Now, use the following command to build the Docker image.<\/p>
    docker build -t nginx-non-root:1.0.0 .<\/code><\/pre>
    Note:<\/strong> Assigning a specific ID to user and group is typically helpful if you want to run this container in Kubernetes as non root user using securityContext<\/code><\/strong>.

    Also, there are ways like setcap to make use of privileged<\/strong> ports by non-root users by assigning the CAP_NET_BIND_SERVICE<\/code> capability to an executable, but it is not recomended due to security concerns.<\/blockquote>
    Run Docker Container as non-root User<\/h2>
    Now that the image is built, we will run the container and test it to see if it is running as a non-user user.<\/p>
    Use the below command to run the Docker image in a container.<\/p>
    docker run -d -p 8080:8080 nginx-non-root:1.0.0<\/code><\/pre>
    Run the following command to check if the container is running<\/p>
    docker ps<\/code><\/pre>
    If your container is running, check the current user using the docker inspect<\/code><\/strong> command<\/p>
    docker inspect -f '{{.Config.User}}' f5510bccfd39<\/code><\/pre>
    Replace f5510bccfd39<\/code> with your Docker container ID.<\/p>
    This command will show you the current user of the container<\/p>
    \"checking<\/figure>
    Or you can also use the exec<\/code><\/strong> command to access the shell of the container<\/p>
    docker exec -it f5510bccfd39<\/code><\/pre>
    Then use the whoami<\/code><\/strong> command to check the current user as shown below<\/p>
    \"checking<\/figure>
    You can see the container is running as a non-root user nginxuser<\/code><\/strong><\/p>
    Now, If you want to run the non-root container as a root user<\/strong>, run the following command<\/p>
    For this, we will run the Docker image in a container in interactive mode<\/p>
    docker run -u 0 -it nginx-non-root:1.0.0 \/bin\/sh<\/code><\/pre>
    The -u 0<\/code><\/strong> option tells the container to run as the root user, 0<\/code> is the UID of the root user<\/strong>.<\/p>
    \"checking<\/figure>
    UID 0<\/strong> (User ID 0) is reserved for the root user<\/strong>, who is the superuser or administrator with full access to all commands and files on the system<\/blockquote>
    Conclusion<\/h2>
    In this blog, you have learned about non-root user and how to create a non-root user for an application.<\/p>
    This is particularly useful when using these image to run a Kubernetes pod<\/a>.<\/p>
    If you are using Kunernetes and you wan to run Pods as non root users, you can specify the user used in the Dockerfile under securityContext<\/code><\/strong> runAsUser<\/code><\/strong> parameter.<\/p>
    We have published a detailed guide on running Kubernetes Pods as Non-Root User.<\/a><\/p>\n
    Ngu\u1ed3n:<\/strong> How to Run Docker Containers as Non-Root User? \u2014 DevOpsCube<\/a><\/p>","protected":false},"excerpt":{"rendered":"
    Source: https:\/\/devopscube.com\/run-docker-containers-as-non-root-user\/<\/p>\n","protected":false},"author":1,"featured_media":479,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-478","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=478"}],"version-history":[{"count":0,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/478\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/media\/479"}],"wp:attachment":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}