Was not even sure of the exact place to post this as crosses a couple of areas. But here seems like the best choice, dockerengine.
If Docker is truly self contained why when I run containers (example: docker run -it
–rm -p 8888:8080 macedemo/tomcat) does it start a java process for each one on the host OS? I used the official tomcat dockerfile from the hub (where java is the base image) to run these:
root 3451 1690
0 09:13 pts/28 00:01:17 /usr/bin/java -Dnop
-Djavax.net.ssl.trustStorePassword=XXXX -Xmx1024m -Xms512m
-XX:PermSize=128m -XX:MaxPermSize=256m -XX:+UseConcMarkSweepGC
root 3539 1690
0 09:14 pts/29 00:00:56 /usr/bin/java
docker 3730 2394
0 12:32 pts/11 00:00:00 grep --color=auto java
spawned from :
root 1690 1
0 Nov24 ? 00:00:40 /usr/bin/docker daemon
So now these processes are dependent upon the java version running on the host
system. Thus could run into issues running on different hosts based on the JVM installed on that server.
And to top it off it starts those processes as Root when I ran the docker run command as a
non privileged user, I guess because docker demon is running as root and spawned the processes. So now if the version of java I have on a host OS has a security vulnerability it’s now running as root. Sounds like a real bad idea and seems to be against guidance on the docker website to not run anything as root, which I certainly concur with.
Can anyone explain if I’m totally missing something?