✦ For everyone, free.

Practical knowledge for real and everyday life

Home

14.1.1.2 Production Non Root Runtime

A focused guide to Production Non Root Runtime, connecting core concepts with practical Docker and container operations.

Production non-root runtime ensures a container's application process runs as an unprivileged user rather than the default root, an essential production hardening step that significantly limits what an attacker could accomplish even if they managed to compromise the running application.

Configuring a Non-Root User for Production

A Dockerfile creates a dedicated, unprivileged user and switches to it before the application actually starts.

RUN addgroup -g 1001 appgroup && adduser -u 1001 -G appgroup -D appuser
USER appuser
CMD ["node", "server.js"]

This ensures the application process runs as appuser, with none of root's elevated privileges, rather than defaulting to the considerably riskier root user.

Why This Matters Even Within an Already-Isolated Container

While a container does provide isolation from the host, running as root within that container still means a successful compromise has root-level access within the container's own namespace, including the ability to modify files owned by root and access certain capabilities a non-root user wouldn't have.

docker run --rm myapp:1.0 whoami

appuser

Confirming the actual running user reflects this intended, more restricted configuration.

Verifying File Permissions Work Correctly for the Non-Root User

Switching to a non-root user can sometimes surface permission issues if files the application needs to read or write weren't given appropriate ownership.

RUN chown -R appuser:appgroup /app
USER appuser
Enforcing Non-Root Execution at the Orchestration Layer as Well

Beyond the image itself, an orchestrator can enforce this as a policy, rejecting any container attempting to run as root regardless of its image configuration.

securityContext:
  runAsNonRoot: true
Why Production Non-Root Runtime Matters

Running as a non-root user is one of the most fundamental, broadly applicable container hardening practices, and ensuring it's actually configured (and enforced) for a production deployment significantly reduces the potential impact of any application-level compromise.

Related content