Run Docker with non-root internal users and for containers that do not support non-root internal users.
For additional security isolation, it is recommended to run Docker containers as non-root internal users. This follows the principle of least privilege.
Configure the engine to execute containers as non-root internal users.
Add the following key:
"docker.run.internal.asuser": true
For containers that do not support non-root internal users, add the following key:
"docker.run.internal.asuser.ignore" : "A comma separated list of container names. The engine matches the container names according to the prefixes of the key values>"
For example,
"docker.run.internal.asuser.ignore"="demisto/python3:","demisto/python:"
The engine matches the key values for the following containers:
demisto/python:1.3-alpine demisto/python:2.7.16.373 demisto/python3:3.7.3.928 demisto/python3:3.7.4.977
The
:
character should be used to limit the match to the full name of the container. For example, using the:
character does not finddemisto/python-deb:2.7.16.373
.Save the changes.
Restart the demisto service on the engine computer.
sudo systemctl start d1
(Ubuntu/DEB)
sudo service d1 restart