Why non-root containers
1,049 views
Skip to first unread message
Andrew Latham
Oct 27, 2019, 12:01:39 PM10/27/19
to Distroless Users
I really need to understand the use case for non-root containers.
I am assuming that either
1. The software is checking for user
2. The software needs to be a specific user
3. Mapping volume to a user inside the container instead of with the container tooling.
Please school me on what the use-case is because I am interested.
Brian de Alwis
Oct 29, 2019, 7:14:14 AM10/29/19
to Andrew Latham, Distroless Users
This article summarizes some of the reasons:
Seems to be a logical extension of the trends in *nix systems of containing apps and daemons as separate users rather than running as root.
Brian.
--
You received this message because you are subscribed to the Google Groups "Distroless Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to distroless-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/distroless-users/3498dd66-24d2-4b1d-8528-e91501e80bc6%40googlegroups.com.
Evan Jones
Oct 31, 2019, 1:56:26 PM10/31/19
to Distroless Users
I am not a security expert. I've seen this advice in a couple different places, and it does make some sense: you might as well have multiple layers of security in place. If your program doesn't need root privileges even inside the container, don't give it to them. Given that part of the reason to use Distroless is to have less "attack surface", if this recommendation is valid, it seems to me that "secure by default" would be a good policy? In my limited experience: most containerized applications do not need root credentials.
I did a quick survey of Kubernetes Dockerfile images using github search: https://github.com/search?q=org%3Akubernetes+distroless+language%3ADockerfile&type=Code
Here are some that explicitly switch to USER nobody or nonroot:
kube-state-metrics: https://github.com/kubernetes/kube-state-metrics/blob/111c95ac200404aee140af9ff97c7f833e5dd087/Dockerfile
Here are some that do not. Unclear to me if this is because they need to, or because someone didn't think of it:
On Tuesday, October 29, 2019 at 7:14:14 AM UTC-4, Brian de Alwis wrote:
This article summarizes some of the reasons:Seems to be a logical extension of the trends in *nix systems of containing apps and daemons as separate users rather than running as root.Brian.
On Oct 27, 2019, at 12:01 PM, Andrew Latham <lat...@gmail.com> wrote:
I really need to understand the use case for non-root containers.I am assuming that either1. The software is checking for user2. The software needs to be a specific user3. Mapping volume to a user inside the container instead of with the container tooling.Please school me on what the use-case is because I am interested.--
You received this message because you are subscribed to the Google Groups "Distroless Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to distrole...@googlegroups.com.
Evan Jones
Nov 25, 2019, 6:03:56 PM11/25/19
to Distroless Users
To revisit this thread, a recent example from this week shows the value of running as non-root by default [1] "if your container is run with a non-root user, you are protected. Even if an attacker compromised your container, he cannot overwrite the container’s libnss libraries as they are owned by root, and therefore cannot exploit the vulnerability".
Reply all
Reply to author
Forward
0 new messages