Question

I'm building a docker image using docker-maven plugin. The maven command is to be executed using jenkins. The jenkins.war is deployed on tomcat instead of a separate application, running in a non-root instance. Docker needs root access therefore maven commands will be run in root and because of that jenkins and tomcat will also run in root which is bad practice. I guess I can either run docker as a non-root user(I don't know how to do that) or run jenkins as root(unable do that ever since I switched env variable/config).

any solution is appreciated, thank you

Answer 1

Docker needs root access therefore maven commands will be run in root

not necessarily, you can run docker with -u (--user) parameter to run it as a non-root user inside a container

I guess I can either run docker as a non-root user

If you add the user(on host) to the docker group, you can use the docker service with the said user

As you said so yourself it not secure, look through the following

• "chrisfosterelli/dockerrootplease"
• "Understanding how uid and gid work in Docker containers"

Especially, have a look at these points

• If there’s a known uid that the process inside the container is executing as, it could be as simple as restricting access to the host system so that the uid from the container has limited access.
• The better solution is to start containers with a known uid using the--user (you can use a username also, but remember that it’s just a friendlier way of providing a uid from the host’s username system), and then limiting access to the uid on the host that you’ve decided the container will run as.
• Because of how uids and usernames (and gids and group names) map from a container to the host, specifying the user that a containerized process runs as can make the process appear to be owned by different users inside vs outside the container.