change excecuting user to avoid running as root

[alex77g]

Processes in containers should not run as root

[tianon]

In the default configuration, the images run as root only to ensure permissions are appropriately set on the $GHOST_CONTENT directory, and then we step down to the node user:

ghost/3/debian/docker-entrypoint.sh

Lines 4 to 8 in 19ac24f

	# allow the container to be started with `--user`
	if [[ "$*" == node*current/index.js* ]] && [ "$(id -u)" = '0' ]; then
	find "$GHOST_CONTENT" \! -user node -exec chown node '{}' +
	exec gosu node "$BASH_SOURCE" "$@"
	fi

If the image is run with --user, that is skipped.

See also:

$ docker pull ghost
Using default tag: latest
latest: Pulling from library/ghost
Digest: sha256:127496ada782efb7c65eeec4493655fcc2866443c598319b7a75d3622ed40db2
Status: Image is up to date for ghost:latest
docker.io/library/ghost:latest
$ docker run -dit --name test ghost
ee10fe8bb234f6f10be0b024ee324b73ac7462a443f59e66e98d9f2dddfd1e9a
$ docker top test -fauxn
USER                PID                 %CPU                %MEM                VSZ                 RSS                 TTY                 STAT                START               TIME                COMMAND
1000                20425               14.8                0.1                 2002756             124328              pts/0               SNsl+               15:52               0:05                \_ node current/index.js

[dm17]

In the default configuration, the images run as root only to ensure permissions are appropriately set on the $GHOST_CONTENT directory, and then we step down to the node user:

ghost/3/debian/docker-entrypoint.sh

Lines 4 to 8 in 19ac24f

	# allow the container to be started with `--user`
	if [[ "$*" == node*current/index.js* ]] && [ "$(id -u)" = '0' ]; then
	find "$GHOST_CONTENT" \! -user node -exec chown node '{}' +
	exec gosu node "$BASH_SOURCE" "$@"
	fi

If the image is run with --user, that is skipped.

See also:

$ docker pull ghost
Using default tag: latest
latest: Pulling from library/ghost
Digest: sha256:127496ada782efb7c65eeec4493655fcc2866443c598319b7a75d3622ed40db2
Status: Image is up to date for ghost:latest
docker.io/library/ghost:latest
$ docker run -dit --name test ghost
ee10fe8bb234f6f10be0b024ee324b73ac7462a443f59e66e98d9f2dddfd1e9a
$ docker top test -fauxn
USER                PID                 %CPU                %MEM                VSZ                 RSS                 TTY                 STAT                START               TIME                COMMAND
1000                20425               14.8                0.1                 2002756             124328              pts/0               SNsl+               15:52               0:05                \_ node current/index.js

"Images run as root" means the host is running docker as root when it starts containers based on the ghost image, right? You can confirm all of the processes in the official ghost images are running as non-root?
Thanks for clarifying

[yosifkit]

"Images run as root" means the host is running docker as root when it starts containers based on the ghost image, right?

😕 If you are running regular dockerd, then that service runs as root.

Yes, the container is also started as the root user in the default configuration and after a chown, the shell script steps down to a non-root user (user 1000, seen in the docker top) and replaces itself (exec) with a node process.

You can confirm all of the processes in the official ghost images are running as non-root?

After the initial setup, the only process still running is the non-root node process that is the web server for ghost.

You can also start the image with --user [whatever-user-id] to have the image never use the root user (#54), but then you'd be responsible for providing a /var/lib/ghost/content volume/mount with correct permissions for the chosen user.