med ∩ ml

Run your containers as non-root

Table of contents

Docker runs as root. The programs executing inside containers too. Make it a bit better.

# do everything you need as root (maybe installing some dependencies)

# create a non-root user
RUN addgroup --gid 1001 appgroup
RUN useradd --create-home --gid 1001 --uid 1001 appuser

# set new workdir
WORKDIR /home/appuser

# activate non-root user
USER appuser

# copy new files with correct permissions
COPY --chown=appuser:appgroup app.py .

If you need to mount or use files from your file system, give permissions to the UID/GID defined above:

# set ownership, recursive, userid:groupid
chown -R 1001:1001 /data/myvolume

# full access to members of the group (read+write+execute)
chmod 775 /data/myvolume

# inherit group ownership
chmod g+s /data/myvolume

# Add your host user to the group allowing you to conveniently work with the directory from your host machine
adduser <your-username> 1001