How To Run Docker Containers As Non-Root Users Securely
By default, Docker containers often run as the root user, which poses security risks—especially in production. Running containers as a non-root user helps reduce the attack surface. This guide shows How To Run Docker Containers As Non-Root Users Securely, with a practical Python example.
Why You Should Avoid Running as Root
Running containers as root means that if the container is compromised, an attacker may have root access inside the container—and potentially to the host (in case of misconfigurations or CVEs). Following principle of least privilege is key.
Example: Python App that Writes a File
We’ll use a simple Python app that creates a file in the /app directory.
app.py
with open("log.txt", "w") as f:
f.write("App is running as non-root!\n")
Default (Root) Behavior
Here’s a typical Dockerfile that runs the app:
FROM python:3.11-slim
WORKDIR /app
COPY app.py .
CMD ["python", "app.py"]
Build and run:
docker build -t nonroot-demo .
docker run --rm nonroot-demo
If you inspect the container:
docker run --rm -it nonroot-demo whoami
# Output: root
Secure Approach: Add a Non-Root User
Let’s modify the Dockerfile to create a non-root user and run the app with that user:
Secure Dockerfile (Non-Root)
FROM python:3.11-slim
# Create a non-root user and group
RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser
# Set working directory
WORKDIR /app
# Copy files and set ownership
COPY --chown=appuser:appgroup app.py .
# Switch to non-root user
USER appuser
# Run the app
CMD ["python", "app.py"]
Build and Run
docker build -t nonroot-secure .
docker run --rm nonroot-secure
You’ll see log.txt created, and the container will run safely under appuser.
⚠️ Note for Windows users: If you’re mounting a volume or writing to a bind-mounted folder (e.g., -v ./app:/app), you may see a “Permission denied” error. This happens because Windows file permissions don’t always map cleanly to Linux container users. In such cases, consider using a named volume instead or running without a mount during development.
You can verify the user:
docker run --rm nonroot-secure whoami
# Output: appuser
Best Practices
| Tip | Why It Matters |
Use USER directive | Drops root privileges before execution |
| Set proper file ownership | Prevents file access errors when using COPY |
Avoid chmod 777 | Prefer ownership with --chown for tighter security |
| Use distroless/base-minimal images | Smaller attack surface |
Bonus: Running as UID Without Named User
You can also run a container using a specific user ID from the CLI:
docker run --rm -u 1000:1000 python:3.11-slim whoami
But it’s better to define users inside the Dockerfile for clarity and portability.
Running Docker containers as non-root users is a simple yet powerful security measure. By creating a dedicated user and dropping privileges inside your Dockerfile, you protect your systems from accidental or malicious misuse—without sacrificing functionality.
This is the end of the How To Run Docker Containers As Non-Root Users Securely.
You can read more useful articles like How To Fix “Permission Denied” Errors When Mounting Volumes in Docker.
Follow us for the more helpful posts!
We hope this is a useful post for you.
