(Optional) Running Docker images as a non-root user
Docker images run with root privileges by default. We can change this default setting to ensure that root access is denied to the image and its contents.
Before beginning
Ensure that none of our customizations assume root access. For example, non-root users do not have permission to create directories under the system's root directory. By default, the sample docker-compose.xml file uses /search as the index root directory. In this case, use a directory such as /opt/search.
Task info
There are two ways to change the privilege level of Docker processes. The Docker daemon itself always runs as root, but we can run the Docker client as a user in the docker user group. For WebSphere Commerce images, the preferred approach is to set the user level in your existing Dockerfiles. We can do this with the -u or -user option of the docker run subcommand, or using the USER command.
Procedure
- Create a custom Dockerfile for the image we want to run in non-privileged mode.
- Provide access to the necessary system directories and files for the user that will be running the image. For example,
RUN useradd -u 1000 -r -g root -m -d /wcsuser -s /sbin/nologin -c "App user" wcsuser && \ chmod 755 /wcsuser && \ chown -R wcsuser:root /SETUP && \ chown -R wcsuser:root /opt && \ chown -R wcsuser:root /etc && \ chown -R wcsuser:root /profile && \ chmod -R 755 /SETUP && \ chown -R wcsuser:root /var/lib
- Run the USER command, to tell the Docker process which user will be running the image. For example,
USER wcsuser
- Build the new Docker container.
Previous topic: Prepare a Docker host server to launch Utility server Docker container
Next topic: Set the spiuser password in our Docker images