Root user or non-root user inside container


I think some good advice is:

The best practice is to combine:

  • running your process as non-privileged user within the containers (docker lets you do that easily)
  • stripping the container from all the potentially dangerous system capabilities (docker does that automatically)
  • running an hardened Linux, with e.g. a grsec-enabled kernel, or with your distro’s security module (SELinux, AppArmor…)

A root user within a LXC container cannot (in theory) escalate to be root on the host machine; but many people believe that it is possible to do so. It is certainly harder to do with Docker containers (thanks to the capability restrictions) but if security is a big concern, you should stack up multiple safety mechanisms.

From: Redirecting to Google Groups