Back to Home
Docker
Container security with non-root user usage and best practices
usersecuritynon-rootpermissionsdockerfile
Docker USER Directive
Running containers as non-root user for better security.
Why Avoid Root?
- Risk of host root access on container escape
- Principle of Least Privilege
- Compliance with production security standards
- Kubernetes PodSecurityPolicy/Standards compliance
Alpine Based Image
FROM node:18-alpine
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
WORKDIR /app
COPY --chown=appuser:appgroup . .
RUN npm ci --only=production
USER appuser
EXPOSE 3000
CMD ["node", "server.js"]
Debian/Ubuntu Based Image
FROM ubuntu:22.04
RUN groupadd -r appgroup && useradd -r -g appgroup -m appuser
WORKDIR /app
COPY --chown=appuser:appgroup . .
USER appuser
CMD ["./app"]
Specifying User at Runtime
docker run --user 1000:1000 nginx
docker run --user $(id -u):$(id -g) nginx
docker exec container_name whoami
docker exec container_name id
File Permissions Best Practice
FROM python:3.12-slim
RUN groupadd -r app && useradd -r -g app app
WORKDIR /app
COPY . .
RUN chown -R app:app /app && chmod -R 550 /app
USER app
CMD ["python", "main.py"]
Temporary Root Access
FROM node:18-alpine
RUN addgroup -S app && adduser -S app -G app
RUN apk add --no-cache curl
WORKDIR /app
COPY --chown=app:app . .
USER app
RUN npm ci --only=production
CMD ["node", "server.js"]