Security when running static builds in docker scratch images?
I am currently evaluating different options to reduce image sizes. Apart from alpine, there's also the option to run static builds in scratch images with multi stage docker builds, which most of the people call secure (and where I am agree regarding the attack surface). But as there's no user management etc. involved, would'nt it mean to run the binary with the same permissions as the docker daemon executing it? Where's the point of security here?
1 Answers Security when running static builds in docker scratch images?
You can still define user also for images from
SCRATCH by using
USER command in the Dockerfile or when you are starting container (
--user=). The safest option will be non root user specified by
USER command in the Dockerfile - it will be default container option. If container needs a root user, then you can use user namespaces, so real root won't be used in the container.
BTW: typical problem for non root users is low port binding, but you can bind high ports or use
--sysctl net.ipv4.ip_unprivileged_port_start=0 (kernel 4.11+).