As mentioned previously, the Docker containers by default run with the root privilege and so does the application that runs inside the container. This is another major concern from the security perspective because hackers can gain root access to the Docker host by hacking the application running inside the container. Docker provides a simple yet powerful solution to change the container's privilege to a non-root user and thus thwart malicious root access to the Docker host. This change to the non-root user can be accomplished using the -u or --user option of the docker run subcommand or the USER instruction in the Dockerfile.
In this section, we will demonstrate by showing you the default root privilege of the Docker container and then continue to modify the root privilege to a non-root user using the USER instruction in the Dockerfile.
First, demonstrate the default root privilege of the Docker container by running a simple id command in a docker run subcommand, as shown here:
$ sudodocker run --rm ubuntu:16.04 id
uid=0(root) gid=0(root) groups=0(root)
Now, let us perform the following steps:
- Craft a Dockerfile that creates a non-root privilege user and modify the default root user to the newly-created non-root privilege user, as shown here:
##########################################
# Dockerfile to change from root to
# non-root privilege
###########################################
# Base image is Ubuntu
FROM ubuntu:16.04
# Add a new user "peter" with user id 7373
RUN useradd -u 7373 peter
# Change to non-root privilege
USER peter
- Proceed to build the Docker image using the docker build subcommand, as depicted here:
$ sudo docker build -t nonrootimage .
- Finally, let's verify the current user of our container using the id command in a docker run subcommand:
$ sudo docker run --rm nonrootimage id
uid=7373(peter) gid=7373(peter) groups=7373(peter)
Evidently, the container's user, group, and the groups are now changed to a non-root user.
Modifying the default root privilege to a non-root privilege is a very effective way of containing malevolent penetration into the Docker host kernel.
So far, we discussed the unique security-related kernel characteristics and capabilities. Most of the security holes can be closed down by understanding and applying those kernel capabilities. Security experts and exponents, having considered the faster and widespread adoption of the raging containerization idea in production environments, have brought forth a few more additional security solutions, described as follows in detail. These security methods need to be given utmost importance by developers as well as system administrators while developing, deploying, and delivering enterprise-class containers in order to nullify any kind of inside or outside security attacks.