BlogLinux & scripting
Rootless Docker and why containers shouldn't run as root
Run the Docker daemon and your containers as a non-root user so a container escape lands unprivileged, plus the subuid, cgroups, and storage gotchas.
By default the Docker daemon runs as root, and so does PID 1 in most containers. An escape from a root container often means root on the host. Rootless mode runs the daemon and your containers as an unprivileged user, so the worst case is a normal user — not the box.
docker info -f "{{.SecurityOptions}}"[name=rootless name=seccomp,profile=builtin]daemon and containers run as your UID, not rootWhy it matters
Rootful
PID 1 is root
maps to host root
escape = host root
device access
Rootless
PID 1 is your UID
user namespaces
escape = normal user
no device access
Do not run as root inside either way
Rootless daemon or not, set a non-root user in the image. Defense in depth is cheap here.
Dockerfile
RUN adduser -D -u 10001 appUSER 10001# and in Kubernetes:# securityContext: { runAsNonRoot: true, runAsUser: 10001 }
Ports below 1024 need a nudge
A rootless daemon cannot bind privileged ports by default. Publish to a high port and front it with a reverse proxy, or set net.ipv4.ip_unprivileged_port_start.