Secure Docker using USER and Volume


Docker user has root privilege on host. The default user in container is root. In order to secure docker, we can create a user in docker container and run as non privilege user. The problem is that some services in docker need to write data to disk. E.g. druple has a files folder to store user uploaded files.


  1. Create a volume and assign uid and mode
    docker volume create --driver local --opt type=tmpfs --opt device=tmpfs --opt o=uid=2000,gid=2000,size=2g,mode=0750 dataVolume
  2. Create user in container has same uid
    FROM python:3.5
    RUN useradd -u 2000 energyUser
    USER energyUser
  3. Add docker volume into container by -v argument
    docker run -it -p 8080:8000 --name containerName --restart always -v dataVolume:/writeableFolder -d  imageName

Backup data volume

Using –volumes-from flog to create a new container that mounts the value

docker run --rm --volumes-from containerName -v $(pwd):/backup ubuntu tar cvf /backup/backup.tar /writeableFolder

Restart data to data volue

Un-tar backup file in the new container’s data volue

docker run --rm --volumes-from containerName -v $(pwd):/backup ubuntu bash -c "cd /writeableFolder && tar xvf /backup/backup.tar --strip 1"
Written on April 11, 2017