Protecting Containers in Model Deployments and Operations
As the popularity of Docker continues to grow, so does the risk of potential attacks. One of the key aspects of securing Docker applications is setting the user within containers as a non-root user. This approach balances usability and security, preventing privilege escalation risks and limiting attack surfaces.
Creating a Non-Root User and Group
To allow a non-root user to write to a specific directory within a Docker container, you should create a dedicated non-root user and group. This can be done within the Dockerfile or at runtime.
In the Dockerfile, you can create a non-root user and group, set ownership and permissions of the target directory accordingly, and switch to the non-root user:
Alternatively, if you cannot rebuild the image, you can adjust the directory ownership and permissions at runtime or with volume mounts.
Setting Directory Ownership and Permissions
Set the directory’s owner or group to a group the non-root user belongs to. Then, set group write permissions and add the non-root user to that group. Use and to restrict permissions narrowly to keep security tight. Avoid giving write permissions to “others” to limit exposure and preserve the principle of least privilege. Only grant the minimum required privileges to the non-root user or group.
Best Practices for Container Security
Combine these Linux file permission practices with container security best practices:
- Use trusted, minimal base images.
- Keep Docker runtime up-to-date.
- Use role-based access controls and secrets management for sensitive data.
By following these guidelines, you can maintain container security while allowing controlled write access.
Allowing Libraries to Write Files
For libraries that download files, the download directory can be changed via a variable, allowing ownership to be assigned. Empty files can be created first and ownership rights can be assigned to enable writing.
Bind Mounts and File Permissions
The permission of the bind-mounted directory is determined by the host directory, so the same user must be created in the host and granted owner permissions to the model directory. When saving a trained model to the host, a bind mount can be used. A user and group must be created for the host with the same ID as the container user.
Handling Permission Errors
Libraries used in a container may automatically create files and directories, which can lead to permission errors when switching to a non-root user. To address this, you can set the default user and group for the container to the non-root user before running the application.
Assigning a Non-Root User in Docker
In the next section, an example will be given on how to assign a non-root user in Docker.
Containerisation is the primary means for deploying many applications, with Docker being a leading software in this regard. Securing Docker applications is crucial, and setting the user within containers as a non-root user is a fundamental means of doing this.
References
- Wong et al. (2023) "On the Security of Containers: Threat Modeling, Attack Analysis, and Mitigation Strategies". Computers & Security, Vol. 128.
- https://medium.com/@teosiyang/securing-linux-servers-with-two-commands-de5b565dc104 (Linux permissions and access rights)
In the context of securing Docker applications, it's important to not only set the user within containers as a non-root user but also to create a dedicated non-root user and group to allow write access to specific directories. This can be done within the Dockerfile or at runtime, ensuring that the directory’s owner or group is set to a group the non-root user belongs to. (From "Creating a Non-Root User and Group" section)
To maintain container security, these Linux file permission practices should be combined with container security best practices such as using trusted, minimal base images, keeping Docker runtime up-to-date, and using role-based access controls and secrets management for sensitive data. (From "Best Practices for Container Security" section)
