Nobody as default user in Docker

[Pavel Mička]

Hi,

I have noticed that in Docker file the user for Prometheus is nobody (https://github.com/prometheus/prometheus/blob/master/Dockerfile). I understand running stateless components with limited/no access to sensitive data running under this user, but Prometheus is stateful and possibly contains sensitive data (system topology, exact configuration, PII - if carelessly configured).

Are there any plans to run Prometheus by default under dedicated user? Or is the nobody user there by design?

Thanks!

Pavel

[pg...@redhat.com]

I believe the nobody user is there by design since it's known account which normally has only minimal permissions.  During development, you can't be sure what users will be available on the runtime host system and what those users will have access to.  So you should override the default user of most/all containers at runtime (docker run --user someuser) and give each user host permissions based on the specific needs of the related container.  That way it doesn't really matter what user what set inside the Dockerfile.