Docker Community Forums

Share and learn in the Docker community.

Docker as non-root by default


#1

Hi All,

The advantage of docker is it allows containerzied development and allows to promote environment post testing. In that case why can’t it be made to execute as non-root like any other linux command. Although underlying it uses unix-socket instead of tcp/ip. can this fundamental architecture be re-thought to run docker as independent container similar to JVM jar files. I just wanted the community to think through a solution then only it becomes easier for development teams to easily promote to production otherwise administrators are required to do the harderning stuff on production for every implementaion.


(Metin Y.) #2

Won’t happen! the docker deamon orchestrats severall linux/unix tools that require root permissions (like iptables for instance).

I guess what you want is to grant access to the docker daemon? This one is easy. create a docker group, modify the ownership of docker.sock to root:{your group} and the users will be able to use the docker cli. BUT: containers will still be started as root:root, and as such the user could mount funny stuff inside the container and manipulate host files. Be sure to add only trusted users to the group! Be warned: you open them the door to apply whatever obscure magic commes into their mind!

Clean solution: create a job in your CI/CD enivronment and let the job execute the tasks.

You are aware that the JVM has very restricted access to devices, aren’t you? Usualy freakish JNI binidings are required for heavy stuff. Do you realy put the same burden on Docker. I can’t even express how wrong this feels.


#3

I am fine with this approach but the intent of my question is make containers independent of environment restrictions like in-built security similar to how JVM provides. May be something similar might evolve. Probably somebody like linus trivold would make a decision till then. Thank you for your response