USER
Now that you’ve gotten a sense of software provenance in Dockerfiles lets take
a look at the USER
in Dockerfiles
.
By default, containers run as root. A container running as root
has full control of the host system. As container technology matures, more secure default
options may become available. For now, requiring root is dangerous for others
and may not be available in all environments. Your image should use the USER
instruction to specify a non-root user for containers to run as. If your
software does not create its own user, you can create a user and group in
the Dockerfile.
The default user in a Dockerfile is the user of the parent image. For example,
if your image is derived from an image that uses a non-root user example:
swuser
, then RUN
commands in your Dockerfile
will run as swuser
.
If you need to run as root, you should change the user to root at the
beginning of your Dockerfile then change back to the correct user with another
USER
instruction:
FROM fedora:29
RUN groupadd -r swuser -g 433 && \
useradd -u 431 -r -g swuser -s /sbin/nologin -c "Docker image user" swuser
USER root
RUN dnf install -y vim
USER swuser
USER root: Switch to the root user to perform actions that need elevated permissions, such as installing software via yum/dnf.
USER swuser: Then, switch back to a lower permissions user to run the image.
Now we can test this out by building the following Dockerfile
Dockerfile
mkdir ~/user-test
cd ~/user-test
vim Dockerfile
Copy the Dockerfile above. Press i for Insert, then cut and paste
control + v , then escape and write the file esc , :wq .
|
FROM fedora:29
RUN groupadd -r swuser -g 433 && \
useradd -u 431 -r -g swuser -s /sbin/nologin -c "Docker image user" swuser
USER root
RUN dnf install -y vim
USER swuser
When building an image, the build time is similar as before (approximately 3 minutes)
sudo buildah bud -t user-test:1
Run and test the image to see who the container is running as. What do you see?
sudo podman run --rm -it user-test:1 whoami
For more information on Containers and correct users to use here are a few good articles.
Why we don’t let non-root users run Docker in CentOS, Fedora, or RHEL
Guidance for Docker Image Authors
Domain | ||
Workshop | ||
Student ID |