Docker image runs as root

[franklindyer]

This is a bad practice! Need to figure out how to allow non-root user inside of the Docker image to still be able to access the contents of volumes.

[altheaden]

Since the volumes are user-generated (and thus not on the repo) why is it that we need the user to run docker not as root?

[franklindyer]

So when I say "not as root", I mean that the user in the docker image should not be the root user. Regardless, we will have to run docker using sudo - but inside of the docker image, there can also be multiple users, and it would be best to use a non-root user inside of the image when possible.

The reason for this is that a docker image is not quite so isolated from the OS's kernel as a virtual machine. In particular, it basically shares the kernel with the OS. This means that having "root privileges" inside of the docker image also allows you to exercise "root privileges" outside of the docker image. This means that if (somehow) our app were so insecure that it were possible for someone to execute arbitrary commands, they would not only be able to do whatever they wanted inside of the docker image, but also on the server as a whole. (Which would obviously be bad...)

Mostly I just want to adhere to the "principle of least privilege".

[altheaden]

That makes sense. Thank you!