#################
Dockerfiles notes
#################

****************************
Do not run processes as root
****************************

(Ref [dockerfiles-01]_)

- Processes in a container should not run as root, or assume that they
  are root. **The root user in the container could have access to
  everything in the host server!!**

- Create a user in the Dockerfile with a known UID and GID, and run 
  your process as this user. For example:

  .. code-block:: docker

    FROM <baseimage>
    RUN groupadd -g 999 appuser && \
        useradd -r -u 999 -g appuser appuser
    USER appuser
    ...

- When running containers that do not specify a user and run as root
  by default, you can create a user on the host, and pass its uid to
  Docker when starting the container:

  .. code-block:: fish

    > docker run --user 1001 ... 


**********
References
**********

.. [dockerfiles-01] `Processes In Containers Should Not Run As Root (Medium)
   <https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b>`_
   (Retrieved 2021-08-04)