Running Docker container as non root account

 Running docker container as non root account. 










Docker is revolutionary technology in the world of devops. Today docker is making application deployments is so easy and fast. But did you know when you start a docker container and when you log into your docker container, you login as root by-default. So today we are going to see how we login as root and how we can control this.

Sometimes your container needs some permissions so you do not restrict docker container to not to be root. But it's not always be the use case. Sometimes you just want to run your docker container and up some services ,that's it.

Let's do it step by step. I am assuming that you already have a docker installed. Just start with downloading the Alpine Linux image. I use it mostly in tutorials because it's small in size.

Run the below command :


docker pull alpine


this above command will download the alpine image to our system. One thing I want to mention here is that docker by default pull images from docker hub. Docker hub is repository of images.

Now, Let's run the image using below command :


docker run -it --name mycontainer alpine


This will login you to alpine shell.

docker run -it --name mycontainer alpine

/ # 


Now check you are root. Although '#' character says itself that it is root.

docker run -it --name mycontainer alpine

/ # whoami

root

/ # ls

bin    dev    etc    home   lib    media  mnt    opt    proc   root   run    sbin   srv    sys    tmp    usr    var

/ # 


See you are root. But you think what's bad in it. I'll explain as we go on. Let's run another container from same image and give it a name mycontainer2.

docker run -it --name mycontainer2 alpine

/ # whoami

root

/ # ls

bin    dev    etc    home   lib    media  mnt    opt    proc   root   run    sbin   srv    sys    tmp    usr    var

/ # 


Let's check how many containers are running:


docker ps

CONTAINER ID   IMAGE     COMMAND     CREATED          STATUS          PORTS     NAMES

ab9d6a6f8dd1   alpine    "/bin/sh"   31 seconds ago   Up 30 seconds             mycontainer2

78ccfe7b5275   alpine    "/bin/sh"   4 minutes ago    Up 4 minutes              mycontainer


So we have mycontainer and mycontainer2 both are running. Now I'll check the network by below command.

docker network ls

NETWORK ID   NAME      DRIVER    SCOPE

e152bd78da   bridge    bridge    local

7e9c316ea4   host      host      local

9eb8c364ec   none      null      local


By default docker uses a bridge network. When you create a container docker assigns an IPAddress to it.

Now I am going to check the IPAddresses of containers by inspect command.

docker inspect mycontainer | egrep "IPAddress"

            "SecondaryIPAddresses": null,

            "IPAddress": "172.17.0.3",

                    "IPAddress": "172.17.0.3",


Similar for mycontainer2 :


docker inspect mycontainer2 | egrep "IPAddress"

            "SecondaryIPAddresses": null,

            "IPAddress": "172.17.0.4",

                    "IPAddress": "172.17.0.4",



So I have IPAddresses of both containers. Now check I am able to ping from one container to other.

I tried to ping from mycontainer2 to mycontainer and result is below.

/ # ping 172.17.0.3

PING 172.17.0.3 (172.17.0.3): 56 data bytes

64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.306 ms

64 bytes from 172.17.0.3: seq=1 ttl=64 time=0.323 ms

64 bytes from 172.17.0.3: seq=2 ttl=64 time=0.349 ms

64 bytes from 172.17.0.3: seq=3 ttl=64 time=0.321 ms

64 bytes from 172.17.0.3: seq=4 ttl=64 time=0.388 ms


Ok, docker creates a network and both containers are on same network so they are able to ping each other.
Let's do a ping from mycontainer2 to my host machines IPAddress.

# ping 192.168.X.X

PING 192.168.X.X (192.168.X.X): 56 data bytes

64 bytes from 192.168.X.X: seq=0 ttl=37 time=1.762 ms

64 bytes from 192.168.X.X: seq=1 ttl=37 time=1.640 ms

64 bytes from 192.168.X.X: seq=2 ttl=37 time=1.541 ms


Oh the container was able to ping host as well. Suppose if an Attacker got an access to your container which is running with root privileges. He can find a  hack around  to get inside the host system. 

So we'll just limit the container to run as non root. 

Let's create a user on mycontainer2 using adduser username command.

/ # adduser pd

Changing password for pd

New password: 

Bad password: too short

Retype password: 

passwd: password for pd changed by root

/ # su pd

$ whoami

pd

/ $ 



User has been added. Now type exit and mycontainer2 will be stopped automatically. Just run below command to restart the mycontainer2.

docker start mycontainer2

mycontainer2



Now run the mycontainer2 as non root user:

docker exec -it --user pd mycontainer2 /bin/sh

/ $ 

/ $ whoami

pd

/ $ 


Wow! we have just launched the container as non root user. Let's perform our final step to check if we are able to perform same task like ping other container or host machine.

/ $ ping 172.17.0.3

PING 172.17.0.3 (172.17.0.3): 56 data bytes

ping: permission denied (are you root?)

/ $ 


Ohh, I got permission issue. 

Success!

That's how we learned to manage the docker security.

Note: If you think this helped you and you want to learn more stuff on devops, then I would recommend joining the Kodecloud devops course and go for the complete certification path by clicking this link
-
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Quantum Computing: The Future of Supercomputing Explained

  Introduction Quantum computing is revolutionizing the way we solve complex problems that classical computers struggle with. Unlike tradi...