Exercise 1.2 - Docker `USER`

Return to Workshop

term

Exercise 1.2 - Docker USER

Exercise Description

Now that you’ve gotten a sense of software provenance in Dockerfiles lets take a look at the USER in Dockerfiles.

By default docker containers run as root. A docker container running as root has full control of the host system. As docker matures, more secure default options may become available. For now, requiring root is dangerous for others and may not be available in all environments. Your image should use the USER instruction to specify a non-root user for containers to run as. If your software does not create its own user, you can create a user and group in the Dockerfile.

Step 1. Reusing an Image with a Non-root User

The default user in a Dockerfile is the user of the parent image. For example, if your image is derived from an image that uses a non-root user example: swuser, then RUN commands in your Dockerfile will run as swuser.

If you need to run as root, you should change the user to root at the beginning of your Dockerfile then change back to the correct user with another USER instruction:

Example Dockerfile
FROM fedora:29

RUN groupadd -r swuser -g 433 && \
    useradd -u 431 -r -g swuser -s /sbin/nologin -c "Docker image user" swuser

USER root

RUN dnf install -y vim

USER swuser

USER root: Switch to the root user to perform actions that need elevated permissions, such as installing software via yum/dnf.

USER swuser: Then, switch back to a lower permissions user to run the image.

Now we can test this out by building the following Dockerfile

Step 2. Build the Dockerfile

Make new directory & Build Dockerfile
mkdir ~/user-test
cd ~/user-test
vim Dockerfile
Copy the Dockerfile above. Press i for Insert, then cut and paste control + v, then escape and write the file esc, :wq.
Dockerfile
FROM fedora:29

RUN groupadd -r swuser -g 433 && \
    useradd -u 431 -r -g swuser -s /sbin/nologin -c "Docker image user" swuser

USER root

RUN dnf install -y vim

USER swuser

Step 3. Build the image

When building an image, the build time is similar as before (approximately 3 minutes)

Build the image
sudo docker build -t user-test:1 .

Step 4. Run and Test the image

Run and test the image to see who the container is running as. What do you see?

Run the image
sudo docker run --rm -it user-test:1 whoami

For more information on Containers and correct users to use here are a few good articles.

  • Why we don’t let non-root users run Docker in CentOS, Fedora, or RHEL

  • Guidance for Docker Image Authors


    Workshop Details

    Domain
    Workshop
    Student ID

Return to Workshop