Quoting the coreos page (linked above):
“RunC allowed additional container processes via
runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.”
In short, IF processes run as root inside a container they could potentially break out of the container and gain access over the host.
My recommendation at this time is to apply the same basic security tenants for containers as you would (I hope) for VM and baremetal installs. In other words, ensure you are adhering to a Path of Least Privilege as a best practice and not running as root for conevience’s sake.
Prior to this, we made changes to PMM prior to version 1.0.4 to reduce the number of processes within the container that ran as root. As such, only the processes required to do so run as root. All other processes run as a lower privilege user.
Check here for documentation on PMM, and use the JIRA project to raise bugs (JIRA requires registration).
To comment on running a database within docker, I’ve reviewed the following images
- percona-server image: I have verified it does not run as root, and runs as a mysql user (for 5.7.16 at least)
- percona-server-mongodb: I have worked with our teams internally and can confirm that the latest image no longer runs as root (you will to run the latest image, however, to see this change via docker pull)
Please comment below with any questions.