We are running Docker Swarm and reverse proxy Traefik which needs access to
/var/run/docker.sock for Configuration Discovery. Currently looking into securing containers more according to OWASP Docker Security Cheat Sheet, see post.
So we want to place a proxy between Docker socket and Traefik. The usual docker socket proxy seems maintained (link), but the
latest Docker image is 3 years old. Personally I rather roll my own than trusting an unknown organization.
I started to experiment with nginx, which seems to create an additional nginx user in the Dockerfile. It seems to be great to use a different user than root, even though uid/gid 101 seem to collide with Debian defaults.
What I don’t understand is that the image tells me that it is still running as root inside.
# docker run --name nginx -d nginx:alpine-slim # docker exec -it nginx sh / # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) / # ps PID USER TIME COMMAND 1 root 0:00 nginx: master process nginx -g daemon off; 30 nginx 0:00 nginx: worker process 31 nginx 0:00 nginx: worker process
Is this how it is supposed to be? Shouldn’t there be no root at all in the image for better security?