2. Dockerfiles notes¶

2.1. Do not run processes as root¶

(Ref [dockerfiles-01])

Processes in a container should not run as root, or assume that they are root. The root user in the container could have access to everything in the host server!!

Create a user in the Dockerfile with a known UID and GID, and run your process as this user. For example:

FROM <baseimage>
RUN groupadd -g 999 appuser && \
    useradd -r -u 999 -g appuser appuser
USER appuser
...

When running containers that do not specify a user and run as root by default, you can create a user on the host, and pass its uid to Docker when starting the container:
```
> docker run --user 1001 ...
```

2.2. References¶

[dockerfiles-01]

Processes In Containers Should Not Run As Root (Medium) (Retrieved 2021-08-04)