Recently I’ve deployed some Spring Boot services using Docker. Going through some blog posts about best practices, I’ve noticed that we run the application as a root user inside the container. This is a security issue when the Docker Daemon is run as root. There is a rootless mode but I haven’t encountered that yet in the wild.

To check if your Docker Daemon is running as root you can use:

$ ps -p $(pidof dockerd) -o user=
root

Running applications as a non-root user inside the container is easy:

# Debian / Ubuntu
RUN addgroup --system --gid 10000 app && adduser --system --uid 10000 --gid 10000 --no-create-home app
USER app

# Alpine
RUN addgroup -S app -g 10000 && adduser -S app -G app -u 10000 -H
USER app

Both the user id and group id is far away from normal users/groups. Additionally we don’t need a $HOME folder so we skip creating one.