Exercise 1.2 - Docker `USER`

Return to Workshop

term

Now that you’ve gotten a sense of software provenance in Dockerfiles lets take a look at the USER in Dockerfiles.

By default docker containers run as root. A docker container running as root has full control of the host system. As docker matures, more secure default options may become available. For now, requiring root is dangerous for others and may not be available in all environments. Your image should use the USER instruction to specify a non-root user for containers to run as. If your software does not create its own user, you can create a user and group in the Dockerfile.

User in Dockerfiles

Step 1:

Reusing an Image with a Non-root User

The default user in a Dockerfile is the user of the parent image. For example, if your image is derived from an image that uses a non-root user example: swuser, then RUN commands in your Dockerfile will run as swuser.

If you need to run as root, you should change the user to root at the beginning of your Dockerfile then change back to the correct user with another USER instruction:

Example Dockerfile
FROM fedora:27

RUN groupadd -r swuser -g 433 && \
    useradd -u 431 -r -g swuser -s /sbin/nologin -c "Docker image user" swuser

USER root

RUN dnf install -y vim

USER swuser

USER root: Switch to the root user to perform actions that need elevated permissions such as installing software via yum/dnf.

USER swuser: Then switch back to a lower permissions user to run the image.

Now we can test this out by building the following Dockerfile

Step 1:

Build the Dockerfile

Make new directory & Build Dockerfile
mkdir ~/user-test
cd ~/user-test
vim Dockerfile
Copy the Dockerfile above. Press i for Insert, then cut and paste control + v, then escape and write the file esc, :wq.
Dockerfile
FROM fedora:27

RUN groupadd -r swuser -g 433 && \
    useradd -u 431 -r -g swuser -s /sbin/nologin -c "Docker image user" swuser

USER root

RUN dnf install -y vim

USER swuser

Now build the image. The build time is similar as before (approximately 3 minutes)

Build the image
sudo docker build -t user-test:1 .

Now run and test the image to see who the container is running as. What do you see?

Run the image
sudo docker run --rm -it user-test:1 whoami

For more information on Containers and correct users to use here are a few good articles.

Return to Workshop