How to run rootless containers

Running containers as unprivileged or rootless is highlighted as a crucial security practice to mitigate risks associated with running processes as root, which is the default setting in Docker and many other container runtimes. The article outlines how running containers with root privileges can expose systems to vulnerabilities, allowing attackers to gain full control if they manage to breach the container. It explains the steps to configure containers to run as unprivileged by adapting images, changing default ports, adjusting file permissions, and leveraging tools like User Namespaces and Capabilities to limit privileges. While making containers rootless can be complex and involves trade-offs, such as losing low-level access to certain resources, it significantly enhances security by isolating workloads and reducing potential damage from compromised containers. The article provides practical examples, such as modifying the nginx-unprivileged image, and suggests further steps to secure containers, including making binaries root-owned, using read-only modes, and employing multi-stage builds. Additionally, the use of Linux capabilities and user namespaces is advised for containers that require performing privileged operations, ensuring that even if a container is breached, the attacker has limited access to the host system.