Running Docker images as a non-root user (prior to 9.1.14.0)
Prior to HCL Commerce 9.1.14.0, Docker images ran with root privileges by default. You can change this default setting to ensure that full access is denied to the image and its contents.
Before you begin
- Consider upgrading to HCL Commerce 9.1.14.0 or greater to deploy HCL Commerce containers with a non-root user by default. Ensure that you review HCL Commerce container users and privileges for any restrictions or limitations that you must address before making this change to your site deployment.
- Ensure that none of your customizations assume root access. For example, non-root users do not have permission to create directories under the system's root directory. By default, the sample docker-compose.yml file uses /search as the index root directory. In this case, use a directory such as /opt/search/.
About this task
There are two ways to change the privilege level of Docker processes. The Docker daemon
itself always runs as root, but you can run the Docker client as a user in the
docker user group. For HCL Commerce images, the preferred
approach is to set the user level in your existing Dockerfiles. You can do this with the
-u or -user option of the docker
run sub-command, or by using the USER command.
Procedure
- Create a custom Dockerfile for the image you want to run in non-privileged mode.
-
Provide access to the necessary system directories and files for the user that will be
running the image. For example,
RUN useradd -u 1000 -r -g root -m -d /wcsuser -s /sbin/nologin -c "App user" wcsuser && \ chmod 755 /wcsuser && \ chown -R wcsuser:root /SETUP && \ chown -R wcsuser:root /opt && \ chown -R wcsuser:root /etc && \ chown -R wcsuser:root /profile && \ chmod -R 755 /SETUP && \ chown -R wcsuser:root /var/lib -
Run the USER command, to tell the Docker process which user will be
running the image. For example,
USER wcsuser - Build the new Docker container. For more information, see https://docs.docker.com/engine/reference/builder/.