Blog

July 6, 2022

Rootless Containers and Why They Matter

Matthew Weier O’Phinney
Matthew Weier O’Phinney

PHP Development,

Security

Rootless containers can be an effective way to prevent root privilege escalation if one of your containers is compromised. 

In this blog, we explore why this is a common issue in container-based PHP applications, and the steps teams can take to create rootless container based, and consequently more secure, applications.

Table of Contents

  1. Containers and Root Privileges
  2. How to Mitigate Root Privilege Risks
  3. Rootless Mode and Rootless Containers
  4. Final Thoughts
Back to top

Containers and Root Privileges

PHP users increasingly containerize their applications, which provides predictability and ease of deployment. Containers have a known state on initialization, and (generally) run a single service at a time, making the services they encapsulate easier to understand and compose in complex systems. That said, Docker has historically required root privileges, which can potentially expose the host system to attacks.

Containers typically run via a user with root privileges, and that user is the same as root on the host machine. This is necessary to allow various operations like installing system packages, changing configuration files, and more within the container. However, if an attacker were to exploit a vulnerability in the container that allows breaking out of the container to the host system, they could compromise the host in a variety of ways, including:

  • Filesystem access
  • Secrets access
  • Privilege escalation
  • Access to resources on your firewalled network

Any one of these could compromise your customers or confidential data.

So, if containers need root privileges, what is the solution?

Back to top

How to Mitigate Root Privilege Risks

One way to mitigate issues is to run services inside your containers as non-privileged users. This can be done in a variety of ways:

  • Within a Dockerfile, you can specify the system user to run commands and services as via the USER directive.
  • When running a container, you can specify the user to run commands and services as via the --user flag to the docker command.
  • Docker Compose allows specifying the user for each container specified.
  • You can use tools such as s6-overlay to run daemons as non-privileged users.

The primary benefit to these approaches is that they limit the capabilities of an attacker to gain root privileges within the container, which will help prevent their ability to break out of the container to the host.

Back to top

Rootless Mode and Rootless Containers

Another solution is to run the containers themselves with a user other than root. The popular open source Docker alternative Podman does this by default, and Docker itself introduced an opt-in rootless mode in version 19.03, with full support for the mode in version 20. In both cases, these technologies allow running your containers as an unprivileged user. This means that even if an attacker breaks out of the container, they will not have root privileges on the host, limiting the attack surface substantially.

Rootless Mode Limitations

Unfortunately, rootless mode has a number of limitations:

  • In Docker, there are limits to which storage drivers you may use for managing the images and containers on your system.
  • You cannot map containers to privileged host ports (those below 1024), which means you may need a proxy in front of your system.
  • You cannot use overlay networks to distribute containers between multiple Docker hosts.

Each of these can present further complexity for what is already often complex orchestration.

ZendPHP Rootless Containers

To help you secure your PHP applications, our ZendPHP container images are all built using the aforementioned s6-overlay. The features are opt-in; you can create your own containers without knowing anything about s6-overlay, and they will behave like normal containers. However, if you opt in to the features, you can:

  • Run your PHP applications as a non-root user within the container.
  • Lock down file permissions.
  • And even run multiple services within the container easily (e.g., cron or an async worker pool).

Try ZendPHP for Free

Want to see how our ZendPHP container images work in your environment? 

Get Started

Back to top

Final Thoughts

In this blog, we've discussed root user privilege, how it can impact attack surface for container-based applications, and how rootless containers can help to mitigate those risks. As noted above, this approach can add additional complexity to your application(s), but it's typically worth the decreased attack surface.

Be sure to read the next blog in this series, where we detail the various ways you can use ZendPHP containers to lock down your images and expand their capabilities.

Additional Resources

Back to top