BreadcrumbHomeResourcesBlog Rootless Containers and Why They Matter July 6, 2022 Rootless Containers and Why They MatterPHP DevelopmentSecurityBy Matthew Weier O’PhinneyRootless containers can be an effective way to prevent root privilege escalation if one of your containers is compromised. In this blog, we explore why this is a common issue in container-based PHP applications, and the steps teams can take to create rootless container based, and consequently more secure, applications.Table of ContentsContainers and Root PrivilegesHow to Mitigate Root Privilege RisksRootless Mode and Rootless ContainersFinal ThoughtsTable of Contents1 - Containers and Root Privileges2 - How to Mitigate Root Privilege Risks3 - Rootless Mode and Rootless Containers4 - Final ThoughtsBack to topContainers and Root PrivilegesPHP users increasingly containerize their applications, which provides predictability and ease of deployment. Containers have a known state on initialization, and (generally) run a single service at a time, making the services they encapsulate easier to understand and compose in complex systems. That said, Docker has historically required root privileges, which can potentially expose the host system to attacks.Containers typically run via a user with root privileges, and that user is the same as root on the host machine. This is necessary to allow various operations like installing system packages, changing configuration files, and more within the container. However, if an attacker were to exploit a vulnerability in the container that allows breaking out of the container to the host system, they could compromise the host in a variety of ways, including:Filesystem accessSecrets accessPrivilege escalationAccess to resources on your firewalled networkAny one of these could compromise your customers or confidential data.So, if containers need root privileges, what is the solution?Back to topHow to Mitigate Root Privilege RisksOne way to mitigate issues is to run services inside your containers as non-privileged users. This can be done in a variety of ways:Within a Dockerfile, you can specify the system user to run commands and services as via the USER directive.When running a container, you can specify the user to run commands and services as via the --user flag to the docker command.Docker Compose allows specifying the user for each container specified.You can use tools such as s6-overlay to run daemons as non-privileged users.The primary benefit to these approaches is that they limit the capabilities of an attacker to gain root privileges within the container, which will help prevent their ability to break out of the container to the host.Back to topRootless Mode and Rootless ContainersAnother solution is to run the containers themselves with a user other than root. The popular open source Docker alternative Podman does this by default, and Docker itself introduced an opt-in rootless mode in version 19.03, with full support for the mode in version 20. In both cases, these technologies allow running your containers as an unprivileged user. This means that even if an attacker breaks out of the container, they will not have root privileges on the host, limiting the attack surface substantially.Rootless Mode LimitationsUnfortunately, rootless mode has a number of limitations:In Docker, there are limits to which storage drivers you may use for managing the images and containers on your system.You cannot map containers to privileged host ports (those below 1024), which means you may need a proxy in front of your system.You cannot use overlay networks to distribute containers between multiple Docker hosts.Each of these can present further complexity for what is already often complex orchestration.ZendPHP Rootless ContainersTo help you secure your PHP applications, our ZendPHP container images are all built using the aforementioned s6-overlay. The features are opt-in; you can create your own containers without knowing anything about s6-overlay, and they will behave like normal containers. However, if you opt in to the features, you can:Run your PHP applications as a non-root user within the container.Lock down file permissions.And even run multiple services within the container easily (e.g., cron or an async worker pool).Try ZendPHP for FreeWant to see how our ZendPHP container images work in your environment? Get StartedBack to topFinal ThoughtsIn this blog, we've discussed root user privilege, how it can impact attack surface for container-based applications, and how rootless containers can help to mitigate those risks. As noted above, this approach can add additional complexity to your application(s), but it's typically worth the decreased attack surface.Be sure to read the next blog in this series, where we detail the various ways you can use ZendPHP containers to lock down your images and expand their capabilities.Additional ResourcesWebinar - Orchestrating Your PHP ApplicationsBlog - Building Rootless Docker Images With ZendPHPBlog - Cloud Images With ZendPHPBlog - PHP Docker Images: Tips and TricksBlog - PHP Orchestration With ZendPHP Docker ImagesBlog - How to Orchestrate Applications With ZendPHPBack to top
Matthew Weier O’Phinney Zend Product Manager, Zend by Perforce Matthew began developing on Zend Framework (ZF) before its first public release, and led the project for Zend from 2009 through 2019. He is a founding member of the PHP Framework Interop Group (PHP-FIG), which creates and promotes standards for the PHP ecosystem — and is serving his second elected term on the PHP-FIG Core Committee.
