3

I want to run the postgres container as a non-root user. By default, the image has the user postgres (uid 999).

When the container is accessed by the command docker exec -it mycontainer /bin/bash, the user is root.

To try to make the container more secure, I created a new image using the Dockerfile. In it I defined USER postgres.

That's enough? Is it interesting to change the permissions of /usr/local/bin/docker-entrypoint.sh for user postgres?

Simple docker-compose.yml:

version: "2.4"
services:
  db:
    container_name: mycontainer
    hostname: mycontainer
    restart: always
    volumes:
      - postgres_data:/var/lib/postgresql/data/
    networks: 
      - default
    environment:
      - POSTGRES_PASSWORD=postgres
      - POSTGRES_DB=postgres
      - POSTGRES_USER=postgres
    build: .
    image: mycontainer:1.0

volumes:
  postgres_data:

networks:
 default:

Simple Dockerfile:

FROM postgres:14.1-bullseye

#Assessing whether this parameter is needed.
#RUN chown postgres:postgres /usr/local/bin/docker-entrypoint.sh

USER postgres

Link used:

https://github.com/docker-library/repo-info/blob/master/repos/postgres/remote/12-bullseye.md

campos
  • 153
  • 2
  • 12
  • 2
    The [Docker Hub `postgres` image page](https://hub.docker.com/_/postgres) has a section entitled "Arbitrary `--user` notes"; does the setup there work for you? I would not worry about what user `docker exec` gives you since anyone who can run that command can `docker exec -u root`, and for that matter can `docker run` a container to root the entire host. – David Maze Dec 24 '21 at 17:21
  • Since version 0.9.0 you can allow any user to manage docker without sudo access, by adding it to the `docker` group. For example: `sudo usermod -a -G docker my_user`. Now, this is OK for non-prod, but there is not recommended for production installations. – The Impaler Dec 25 '21 at 04:00

0 Answers0