When creating a Docker image, it’s advisable not to use the root user. Instead, what type of user should be created? Is a randomly generated user appropriate, and should this user have specific privileges? What are the best practices in this scenario? Additionally, how can I ensure at an organizational level that everyone uses a non-root user for Docker images?
You can create a user inside the dockerfile using the distro’s appropriate useradd
(or adduser
) command and then switch to that user with the USER
command.
As to how you would enforce that, this is probably something you would have to put into your CI system to check the dockerfile for the presence of the appropriate commands before it does docker build
. Do not allow developers to publish images built on their own workstations.
Make sure that whatever is running the image (docker or kubernetes) has the appropriate settings to not allow root user execution.
There may be tools that can do the dockerfile check for you but I don’t know any off the top of my head.