View profile

Prevent Your Container Apps From Running As Root

Revue
 
 

Vital DevOps: Improving Your Container DevOps Skills

November 18 · Issue #20 · View online
Commentary on tools and techniques I find interesting around Docker, Kubernetes, Cloud Native DevOps, and DevSecOps.
In case you missed it, we had a special YouTube Live Thursday to talk about Docker selling their Enterprise business to Mirantis.
Today we’re back on schedule with my next security recommendation for using Docker. The past few newsletters have covered Docker Security. Today’s topic is about the USER command in a Dockerfile, and how it can be used to ensure your containerized app isn’t running as root in the container.
Why Do We Need To Add This?
When a container runs an instance of an image, unless otherwise specified, the application is running as root inside the container. I’m sure you’ve been told that your apps shouldn’t run as root, and that’s still true in containers.
We should be changing this in all our apps, whenever possible.
Following the principle of least privilege, we should strive to grant only the minimum requirements to run the application. This principle is not related to Docker, but general to IT security as a whole.
What is the Principle of Least Privilege (PoLP)?
www.beyondtrust.comShare
Least privilege, often referred to as the principle of least privilege (PoLP), refers to the concept and practice of restricting access rights for users.
Docker Tips: Running a Container With a Non Root User
medium.comShare
One best practice when running a container is to launch the process with a non root user.
What Does it Look Like?
I covered an example of this in my YouTube Live stream with the node image. Many language images have a “useradd” command included in a RUN command, but never actually specify the USER stanza to switch from the root user to this new custom user.
Official Node Image With Non-Root User
Official Node Image With Non-Root User
Note this is all already done for us in Official repos that run an app, like Nginx, MySQL, etc.
It’s NOT enabled with the USER command in programming language Official images, like Node.js, Python, etc. You’ll need to add USER <username> yourself for those, depending on if you app works as a non-root user.
NOTE: In order to make sure the new user can run the app, you might need to include some additional chown commands to give permissions to the new user.
Don't Run Your App as Root (starts at 28:06)
www.youtube.comShare
It’s Halloween! This week I step through the best things you can do to improve your Docker security
Thanks for reading,
–Bret
Weekly YouTube Live: bretfisher.com/youtube
Course Coupons: bretfisher.com/courses
Podcast: bretfisher.com/podcast
Twitter: twitter.com/bretfisher
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Bret Fisher, Virginia Beach, Virginia, USA