Using ordinary users to start services in Docker containers can effectively reduce potential security risks. Running a container as root may cause applications in the container to gain control over the host operating system. This way, if an application in the container is attacked, the attacker may gain full control over the host operating system. Running containers as ordinary users can limit the application's access to the host operating system, thereby reducing security risks.
In addition, running containers as normal users can also improve the portability and reusability of containers. If the container is running as root, you may encounter permission issues in different environments. Running containers as ordinary users can avoid these problems, making containers easier to deploy and run in different environments.
Steps to Start a Service with a Normal User
Here are the steps to start a service in a Docker image using a normal user:
(1) Create a normal user in the Dockerfile and switch to that user:
FROM ubuntu:latest RUN groupadd -r myuser && useradd -r -g myuser myuser USER myuser
In this Dockerfile, we first create a user group called myuser, and then create a normal user named myuser, and add it to the myuser user group. Finally, we use the USER command to switch the default user of the container to myuser.
(2) Start the service in the container:
CMD ["python", ""]
In this example, we use the CMD command to define the command to run when the container starts. Here, we assume that the service in the container is written in Python and will be used as a startup command.
(3) Build and run containers:
$ docker build -t myimage . $ docker run -d myimage
In this example, we first build the Docker image using the docker build command, and then run the container in the background using the docker run command. In this way, the container will run the service as a normal user.
Create a Dockerfile for your Java application
Now that you have Docker installed, let's use Gradle to build a simple Java application and create a Dockerfile. We will build and run jar files in the container itself, which provides us with a more consistent environment. You can check out my sample project on Github and you can start working from this project if you prefer.
# NOTE: This is not a production ready Dockerfile. # Utilize this only for development purposes # Use a container image that has both Gradle and the JDK FROM gradle:5.0.0-jdk8-alpine # Switch to the `gradle` user defined by our container image USER gradle # Copy over the project directory into the container COPY --chown=gradle:gradle . /java-and-docker # Set our working directory to our project directory that we set above WORKDIR /java-and-docker # Run the build RUN gradle build # Run the jar file # Since we are using JDK8 we set some additional flags to be more container aware CMD ["java", "-XX:+UnlockExperimentalVMOptions", "-XX:+UseCGroupMemoryLimitForHeap", "-jar", "build/libs/java-and-docker-1."]
Summarize
By starting services in Docker images as ordinary users, we can effectively reduce potential security risks and improve container portability and reusability. Create a normal user in the Dockerfile and switch to that user using the USER command, and then use the CMD command to define the command to run when the container starts. Finally, start the service by building and running the container. These steps can help us run services in Docker in a safer and more reliable way.
This is the article about the implementation of Docker image startup service with ordinary users. For more related content for Docke startup service, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!