0
0
Dockerdevops~10 mins

Running containers as non-root in Docker - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Running containers as non-root
Start Dockerfile
Set USER to non-root
Build Image
Run Container
Container runs as non-root
Verify user inside container
Exit
This flow shows how to set a non-root user in a Dockerfile, build the image, run the container, and verify the user inside.
Execution Sample
Docker
FROM ubuntu:latest
RUN useradd -m appuser
USER appuser
CMD ["whoami"]
This Dockerfile creates a user 'appuser', switches to it, and runs 'whoami' to show the current user.
Process Table
StepActionCommand/InstructionResult/Output
1Start from base imageFROM ubuntu:latestBase image ubuntu:latest pulled
2Create new userRUN useradd -m appuserUser 'appuser' created
3Set user for containerUSER appuserDefault user set to 'appuser'
4Set default commandCMD ["whoami"]Command to run 'whoami' set
5Build imagedocker build -t test-nonroot .Image 'test-nonroot' built successfully
6Run containerdocker run --rm test-nonrootOutput: appuser
7Verify userOutput of 'whoami'appuser
8ExitContainer stops after commandContainer exited
9EndNo more stepsExecution complete
💡 Container runs command as 'appuser' and exits, confirming non-root execution
Status Tracker
VariableStartAfter Step 2After Step 3After Step 6Final
USERrootrootappuserappuserappuser
Container StateNot builtImage builtImage builtRunning as appuserExited
Key Moments - 3 Insights
Why do we need to add a new user instead of just switching USER to a non-root name?
Because the user must exist inside the container. Step 2 creates 'appuser', so step 3 can switch to it. Without creation, USER would fail.
What happens if we don't set USER in the Dockerfile?
The container runs as root by default (see Step 1 and Step 6). Setting USER changes the default user for running commands.
Why does the container exit after running 'whoami'?
Because CMD runs a single command and then stops. The container lifecycle ends after the command completes (Step 8).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what user is the container running as at Step 6?
Aappuser
Bnobody
Croot
Ddocker
💡 Hint
Check the 'Result/Output' column at Step 6 showing 'Output: appuser'
At which step is the new user 'appuser' created inside the image?
AStep 1
BStep 3
CStep 2
DStep 4
💡 Hint
Look at the 'Action' and 'Command/Instruction' columns; useradd runs at Step 2
If we remove the USER instruction, what will be the output at Step 6?
Aappuser
Broot
Cnobody
DError
💡 Hint
Without USER set, container runs as root by default (see Step 1 and Step 6)
Concept Snapshot
Docker containers run as root by default.
To run as non-root, create a user inside the image with 'useradd'.
Use 'USER username' in Dockerfile to switch user.
Run container; commands execute as that user.
Verify with 'whoami' inside container.
This improves security by limiting privileges.
Full Transcript
This visual execution shows how to run Docker containers as non-root users. First, the Dockerfile starts from a base image. Then it creates a new user named 'appuser' using 'useradd'. Next, it sets the default user to 'appuser' with the USER instruction. The CMD runs 'whoami' to print the current user. When building and running the container, the output confirms the container runs as 'appuser' instead of root. The container exits after running the command. Key points include the need to create the user before switching, the default root user if USER is not set, and that containers stop after the CMD finishes. This method improves container security by avoiding running as root.