Security when running static builds in docker scratch images?

I am currently evaluating different options to reduce image sizes. Apart from alpine, there's also the option to run static builds in scratch images with multi stage docker builds, which most of the people call secure (and where I am agree regarding the attack surface). But as there's no user management etc. involved, would'nt it mean to run the binary with the same permissions as the docker daemon executing it? Where's the point of security here?

728x90

1 Answers Security when running static builds in docker scratch images?

You can still define user also for images from SCRATCH by using USER command in the Dockerfile or when you are starting container (--user=). The safest option will be non root user specified by USER command in the Dockerfile - it will be default container option. If container needs a root user, then you can use user namespaces, so real root won't be used in the container.

BTW: typical problem for non root users is low port binding, but you can bind high ports or use --cap-add net_bind_service/--sysctl net.ipv4.ip_unprivileged_port_start=0 (kernel 4.11+).

1 months ago