-
Notifications
You must be signed in to change notification settings - Fork 21
Home
This new release is designed to support the deployment for Non-Root child images implementations and deployments to platform such as OpenShift or RedHat host operating system which requiring special policy to deploy. And, for better security practice, we decided to migrate (eventaully) our Docker containers to use Non-Root implementation.
Here are some of the things you can do if your images requiring "Root" acccess - you really want to do it:
- For Docker build: Use "sudo" or "sudo -H" prefix to your Dockerfile's command which requiring "sudo" access to install packages.
- For Docker container (access via shell): Use "sudo" command when you need to access root privilges to install packages or change configurations.
- Or, you can use older version of this kind of base images which use "root" in Dockerfile.
- Yet, you can also modify the Dockerfile at the very bottom to remove/comment out the "USER ${USER}" line so that your child images can have root as USER.
- Finally, you can also, add a new line at the very top of your child Docker image's Dockerfile to include "USER root" so that your Docker images built will be using "root".
We like to promote the use of "Non-Root" images as better Docker security practice. And, whenever possible, you also want to further confine the use of "root" privilges in your Docker implementation so that it can prevent the "rooting hacking into your Host system". To lock down your docker images and/or this base image, you will add the following line at the very end to remove sudo: (Notice that this might break some of your run-time code if you use sudo during run-time)
sudo agt-get remove -y sudo
After that, combining with other Docker security practice (see below references), you just re-build your local images and re-deploy it as non-development quality of docker container. However, there are many other practices to secure your Docker containes. See below:
- Docker security | Docker Documentation
- 5 tips for securing your Docker containers - TechRepublic
- Docker Security - 6 Ways to Secure Your Docker Containers
- Five Docker Security Best Practices - The New Stack
- This is the main release to support "Non-Root" Docker container implmentations.
- Any child Dockerfile based upon this one might have to add "sudo " or "sudo -H " as prefix in the RUN xxx in your Dockerfile (sorry for the inconvience for greater good reasons - Better Docker Security for serious deployment as well as easier to deploy to OpenShift, Kubernets or SE Linux-base host operating system, e.g., Red Hat)
- Please let us know if you encounter any new bug caused by this "Non-root" implementations. If so happen, please use v1.0.6 or earlier version of docker images if you can't wait for fixes.
Thanks.
- OpenKbs team.