(Optional) Running Docker images as a non-root user

Docker images run with root privileges by default. You can change this default setting to ensure that root access is denied to the image and its contents.

Before you begin

Ensure that none of your customizations assume root access. For example, non-root users do not have permission to create directories under the system's root directory. By default, the sample docker-compose.xml file uses /search as the index root directory. In this case, use a directory such as /opt/search.

About this task

There are two ways to change the privilege level of Docker processes. The Docker daemon itself always runs as root, but you can run the Docker client as a user in the docker user group. For HCL Commerce images, the preferred approach is to set the user level in your existing Dockerfiles. You can do this with the -u or -user option of the docker run subcommand, or by using the USER command.

Procedure

  1. Create a custom Dockerfile for the image you want to run in non-privileged mode.
  2. Provide access to the necessary system directories and files for the user that will be running the image. For example,
    RUN useradd -u 1000 -r -g root -m -d /wcsuser -s /sbin/nologin -c "App user" wcsuser && \
        chmod 755 /wcsuser && \
        chown -R wcsuser:root /SETUP && \
        chown -R wcsuser:root /opt && \ 
        chown -R wcsuser:root /etc && \
        chown -R wcsuser:root /profile && \
        chmod -R 755 /SETUP && \ 
        chown -R wcsuser:root /var/lib
    
  3. Run the USER command, to tell the Docker process which user will be running the image. For example,
    USER wcsuser  
    
  4. Build the new Docker container. For more information, see https://docs.docker.com/engine/reference/builder/.