Docker Community Forums

Share and learn in the Docker community.

Secure way of using volume in container with non-root user

I`m trying to make my docker host and their machines a bit more secure. So one of the remarks was “Ensure a user for the container has been created”. So I have added

USER 9000

Inside my container, that worked fine and the security warning was gone. But now I get this from my application

System.UnauthorizedAccessException: Access to the path '/app/data/log' is denied.

So I can`t create a folder or change files in my volume anymore. Which I have connected like this during run

--volume app_data:/app/data

So I also tried doing something like this and replaced the group_id and user_id with the numbers from my dockremap user of the host itself.

RUN groupadd -g ${GROUP_ID} dockremap && \
	useradd -l -u ${USER_ID} -g dockremap dockremap && \
	chown -R ${USER_ID}:${GROUP_ID} /app
USER dockremap

But actually I don’t want to manage users on my docker host, my container should run secure and should be able to store persistent data when I upgrade my application (with CI/CD).

What is the best solution for this?

I found out I didn’t grant access to the source of the volume for dockremap user yet: So after executing this, it worked.

 chown -R dockremap:dockremap /var/lib/docker/volumes/

But is this the best way to go? Because why should I manage users on my docker host? This isn’t something you do when you have a swarm right? So whats the best way of just mounting a volume in a container which makes the data persistent inside the container.