Running Docker images as a non-root user

Docker images run with root privileges by default. You can change this default setting to ensure that full access is denied to the image and its contents.

Before you begin

Ensure that none of your customizations assume root access. For example, non-root users do not have permission to create directories under the system's root directory. By default, the sample docker-compose.yml file uses /search as the index root directory. In this case, use a directory such as /opt/search/.

About this task

There are two ways to change the privilege level of Docker processes. The Docker daemon itself always runs as root, but you can run the Docker client as a user in the docker user group. For HCL Commerce images, the preferred approach is to set the user level in your existing Dockerfiles. You can do this with the -u or -user option of the docker run sub-command, or by using the USER command.


  1. Create a custom Dockerfile for the image you want to run in non-privileged mode.
  2. Provide access to the necessary system directories and files for the user that will be running the image. For example,
    RUN useradd -u 1000 -r -g root -m -d /wcsuser -s /sbin/nologin -c "App user" wcsuser && \
        chmod 755 /wcsuser && \
        chown -R wcsuser:root /SETUP && \
        chown -R wcsuser:root /opt && \ 
        chown -R wcsuser:root /etc && \
        chown -R wcsuser:root /profile && \
        chmod -R 755 /SETUP && \ 
        chown -R wcsuser:root /var/lib
  3. Run the USER command, to tell the Docker process which user will be running the image. For example,
    USER wcsuser  
  4. Build the new Docker container. For more information, see


HCL Commerce Docker images are now run without root privileges. This better conforms with industry security best practices to minimize any potential access to higher-level system resources.