Rootless Container
This demo builds an improved docker image from the demo application just using a standard Dockerfile. For details on the demo application see hello spring boot application.
This time we configure a non-root user in the Dockerfile to build a container image that will run using without the root user.
Regarding the group-id (gid) and user-id (uid) you should use one above '1000' to avoid using any system user. If you want to be really on the safe side you even leave out all local users (reserved numbers up to 10000) by choosing a number above '10000' (reserved for remote users).
You can prove that the container now does not run with root any more by using these commands:
This should return the following user information (it should not be root anymore)
To prevent any privilege escalation it is also best practice restricting this by the additional command option --security-opt=no-new-privileges for docker run:
You should also be able to reach the dockerized application via localhost:8080.
Finally, stop the running container by using the following command:
Check image for Vulnerabilities
Now we can check our image for vulnerabilities with high and critical severities using this command:
Next
Last updated