6.1.Docker as Root
This demo builds a standard docker image from the demo application just using a standard Dockerfile. For details on the demo application see hello spring boot application.
Java Base Images
Standard Dockerfile
Runs with Root by default
When using defaults for building a container image the container will run using the root user by default.
You can prove this by using these commands:
This should return the following user information (it really is root)
You should also be able to reach the dockerized application via localhost:8080.
Finally stop the running container by using the following command:
Linux capabilities
Docker runs with a balanced set of capabilities between security and usuablity of containers. You can print the default capabilities by using this command:
If you even run the container in privileged mode (you should usually never do that) then you get full privileged root access with all linux capabilities set:
In privileged mode you can for example list and change partition tables:
Usually you even don't need the default capabilities defined by docker. A common use case is to run a container listening on a privileged tcp port (below 1024), e.g. using a http server. For this you just need the capability CAP_NET_BIND_SERVICE:
Check image for Vulnerabilities
Now we can check our image for vulnerabilities with critical severities using this command:
Next
Last updated