The latest articles on DEV Community by Phui-Hock (@phuihock). https://dev.to/phuihock https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F376875%2F08fd6d96-c85a-4b66-8b89-7371541b7736.jpeg https://dev.to/phuihock en Phui-Hock Thu, 30 Apr 2020 16:30:56 +0000 https://dev.to/phuihock/building-a-non-root-docker-container-29ah https://dev.to/phuihock/building-a-non-root-docker-container-29ah <p>Up until recently, I have been building container images with root and I run them as such, which is (of course) a very poor practice. </p> <p>I started learning how to build non-root container a few days ago. In many examples, an arbitrary user is created. Files and directories are created and permissions are set with <code>chmod</code>. This makes <code>Dockerfile</code> slightly bloated with commands which make the image building process look like system administration.</p> <p>The first question that comes to mind is, "Can't I use any one of the existing user in the container?" I opened up <code>/etc/passwd</code> in both <code>ubuntu:18.04</code> and <code>alpine:3.11</code>, 2 base images that I commonly use. I found <code>nobody</code>, with id 65534 defined in both images. </p> <p>Least privileged user? This is it.</p> <p>I use Docker, VS Code with Remote Development extension for development. It allows me to attach to a running container and develop inside it. The source code is mounted into the container using bind mount. </p> <p>Now, how do I save my files if the container runs as <code>nobody</code> while the source files on my host owned by me (another user)? It turns out that there is an (sort of) easy solution.<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>Dockerfile --- from ubuntu:18.04 ENV HOME /app USER nobody WORKDIR ${HOME} COPY src ./src/ ENTRYPOINT ["./src/helloworld.sh"] </code></pre></div> <div class="highlight"><pre class="highlight plaintext"><code>docker-compose.yml --- version: "3.7" services: app: build: context: . </code></pre></div> <div class="highlight"><pre class="highlight plaintext"><code>docker-compose.override.yml --- version: "3.7" services: app: user: "nobody:${GROUP}" volumes: - .:/app </code></pre></div> <p>With the files above in the project directory, the first step is to update the source folder with the group writable permission recursively, like so:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ chmod -R g+wX &lt;project dir&gt; </code></pre></div> <p>Then, I run the container as the same group as the host user's group, like so:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ GROUP=$(id -g) docker-compose up </code></pre></div> <p>Now, I can attach to the docker container from VS Code using Remote Development extension and develop inside it. When the image is deployed, it runs as <code>nobody</code>, which should be safer than running as <code>root</code>.</p> <p>That said, I am still not sure if this is the best approach to non-root container. But this seems to work for my development workflow as well as deployment (with/without swarm mode)</p> <p>Comments are welcomed.</p> docker