Security issue: node is run as root

[mtparet]

In case of security flaw in the application run and in docker.
cf:
http://blog.zeltser.com/post/104976675349/security-risks-and-benefits-of-docker-application
http://thenewstack.io/docker-addresses-more-security-issues-and-outlines-plugin-approach/
http://www.slideshare.net/jpetazzo/docker-linux-containers-lxc-and-security
https://blog.xenproject.org/2014/06/23/the-docker-exploit-and-the-security-of-containers/

[chorrell]

Thanks, we'll look at ways to address this in a future release.

[tianon]

If you come up with a good way to actually solve this nicely at the language stack level, please share so we can make sure all the stacks get updated. We've been trying to think through this problem for a while, and there's not really an easy "works for everyone" way to do this without knowing the specifics of the application being Dockerized (in our experience).

TL;DR this might be more of a docs problem (ie, update the documentation to show best practices for running your application as non-root)

[chorrell]

Sure :)

For now though, you are right, it really is a docs problem

[mtparet]

Thanks for answers.

[chorrell]

Closing this out, since it's more of a Docs/best practice issue at this point.

[mtparet]

since it's more of a Docs/best practice
I disagree it should be a default behavior.
It's a bad practice of running software as root although they do not need root rights.

[chorrell]

What about needing to bind to port 80 or other similar scenarios?

[mtparet]

As Docker can handle binding container port to host port, it should not be an issue ? (We should be able to bind the 8080 port on the container to the 80 port on the host)

[chorrell]

True, but I guess that means possibly breaking things for anyone using the current image, right?

[mtparet]

Yes this will be a breaking change...

[tianon]

Isn't the port to bind on specified in the application itself?