Understanding nginx image and the created nginx user?

General Discussions
1

We are running Docker Swarm and reverse proxy Traefik which needs access to /var/run/docker.sock for Configuration Discovery. Currently looking into securing containers more according to OWASP Docker Security Cheat Sheet, see post.

So we want to place a proxy between Docker socket and Traefik. The usual docker socket proxy seems maintained (link), but the latest Docker image is 3 years old. Personally I rather roll my own than trusting an unknown organization.

I started to experiment with nginx, which seems to create an additional nginx user in the Dockerfile. It seems to be great to use a different user than root, even though uid/gid 101 seem to collide with Debian defaults.

What I don’t understand is that the image tells me that it is still running as root inside.

# docker run --name nginx -d nginx:alpine-slim
# docker exec -it nginx sh

/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

/ # ps
PID   USER     TIME  COMMAND
    1 root      0:00 nginx: master process nginx -g daemon off;
   30 nginx     0:00 nginx: worker process
   31 nginx     0:00 nginx: worker process

Is this how it is supposed to be? Shouldn’t there be no root at all in the image for better security?

2

It seems to be the same for haproxy (Dockerfile):

# docker run --name ha -d haproxytech/haproxy-alpine:latest
# docker exec -it ha sh

/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

/ # ps
PID   USER     TIME  COMMAND
    1 root      0:00 haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg
    8 haproxy   0:00 haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg

Why create a new dedicated haproxy user when the initial process is still running as root?

3

The worker processes will handle the requests/and responses.

Creating your own nginx image starting as restricted user works, but has some drawbacks, especially when you rely on the envsubst based templating the image provides. Last time I created such an image I just had to follow the instruction from the nginx dockerhub description.

4

Thanks for the hint, I overlooked some of the documentation.

The Docker hub page has a section about “Running nginx as a non-root user” (link) and there is a link to nginx-unprivileged (link).