We are running Docker Swarm and reverse proxy Traefik which needs access to /var/run/docker.sock
for Configuration Discovery. Currently looking into securing containers more according to OWASP Docker Security Cheat Sheet, see post.
So we want to place a proxy between Docker socket and Traefik. The usual docker socket proxy seems maintained (link), but the latest
Docker image is 3 years old. Personally I rather roll my own than trusting an unknown organization.
I started to experiment with nginx, which seems to create an additional nginx user in the Dockerfile. It seems to be great to use a different user than root, even though uid/gid 101 seem to collide with Debian defaults.
What I don’t understand is that the image tells me that it is still running as root inside.
# docker run --name nginx -d nginx:alpine-slim
# docker exec -it nginx sh
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # ps
PID USER TIME COMMAND
1 root 0:00 nginx: master process nginx -g daemon off;
30 nginx 0:00 nginx: worker process
31 nginx 0:00 nginx: worker process
Is this how it is supposed to be? Shouldn’t there be no root at all in the image for better security?