"docker-compose up" as root user or non-root user?

security docker linux docker-compose

r00tusr!

I vote for always running containers as regular users.

In a production system your containers won't be run as root. Even in non-production systems, the users who run your container might not be allowed to run programs as root.

So I like to make them work properly as an unprivileged user, even when it's difficult.

Also, there's the security consideration. The general rule professional sysadmins follow is never to run something as root unless it really, really must. Once a program is running as root, it has full control of the computer and can do anything to that computer that it is told to do. Whether that be the good works the author intended or nefarious works by a neer-do-well who cracks into the author's program through a vulnerability that author didn't think to close.

Since we've finally learned that we really, truly cannot predict which programs have flaws, we just don't take chances anymore.

Thanks! Mike


It makes little difference. The docker-compose command connects to the docker.sock, aka docker's API, to run all container commands. By default, this API is only accessible to the root user on linux, so you often see people running commands with sudo.

You can configure docker to allow non-root users to access this API, just be sure you trust these users with root access on your host, since the API gives that level of access. See this answer for details on how to give users this access. The dockerd daemon is typically configured to run as root, the user accessing this API makes little difference (there is rootless mode currently in experimental).

The important detail is to run applications inside of your container as a non-root user. It's the equivalent of systemd running as root and launching a program as a non-root user. You configure this user in the Dockerfile, docker-compose.yml, or your docker run -u CLI.

The reason I say "little difference" is that a compose file can configure host mounts that have a relative path. If you run docker-compose command as root or a different user, those host mounts may be a different path, and the files may be owned by a different UID, that may or may not map to the UID of your application inside the container. Beyond that, I can't think of any difference between running docker-compose as a user or root.

Related

What is the current status of pNFS on Ubuntu?
How can I connect to Postgres running on the Windows host from inside WSL2?
Skype-SIP gateway
Open Source Alternative to Microsoft's File Replication Services [closed]
What are the security risks of making Nagios publicly viewable?
Can't send a MSMQ message to the second DNS name of a server
RDP - Remote Desktop disconnected, Error 2308 socket closed
Getting more helpful tab completion prompts in bash?
Routing table hits?
Apache2 PHP Site - Hitting MaxClients limit - diagnosing?
When specifying an NFS mountpoint in /etc/fstab, What is the "addr" option for?
How popular is WebDAV in reality? [closed]