Security issue: iojs is run as root

[mtparet]

In case of security flaw in the application run and in docker (as it happenned and will happen)
cf:
http://blog.zeltser.com/post/104976675349/security-risks-and-benefits-of-docker-application
http://thenewstack.io/docker-addresses-more-security-issues-and-outlines-plugin-approach/
http://www.slideshare.net/jpetazzo/docker-linux-containers-lxc-and-security
https://blog.xenproject.org/2014/06/23/the-docker-exploit-and-the-security-of-containers/

[mtparet]

cf also nodejs/docker-node#1

[pesho]

Something like:

# Use high uid/gid to avoid collisions with the host
RUN groupadd --gid 25000 app && useradd --uid 25000 --gid 25000 --create-home --shell /bin/bash app 

...folowed by this just before CMD:

USER app

...and also modifying onbuild to use e.g. /home/app/src as base.

Does this sound right?

[mtparet]

Yes sounds right !

[pesho]

Un-assigning this, in case anyone else wants to give it a try.

[hmalphettes]

@pesho I'll give it a shot sometimes next week as I actually need this for a customer.
Feel free to assign it to me or simply wait for a PR when it is ready enough.

[Starefossen]

@hmalphettes you have probably read this comment in #26, but just to make sure:

yosifkit commented on Feb 16
I think the hardest part here is that this still doesn't cover the developer that wants to bind mount in their code so that they can edit it on their host machine and see changes as they develop using something like node-supervisor (ex: docker run -it --rm -v /my/code:/usr/src/app my-node). That way they do not have to docker stop, docker build, and docker run for every change.

[retrohacker]

User namespaces have made it into the experimental release of Docker. moby/moby#12648