Version: v2.x

Container Security

Non-root user and group

By default, all hasura/graphql-engine images come with a non-root user and group named hasura. Both the user ID (UID) and group ID (GID) for this non-root user are 1001.

We strongly recommend using this non-root user and group to run the graphql-engine container. This practice enhances system security and mitigates potential risks in the event of a future container escape vulnerability.

If you're using docker-compose, this can be done by implementing the user field like this:

version: '3.6'
services:
  graphql-engine:
    image: hasura/graphql-engine:v2.30.0
    user: 1001:1001
    ports:
      - '8080:8080'

Existing UID and GID

Since the non-root UID and GID is 1001, you will need to make sure that the host machine in which the container is running does not have an existing UID and GID that are 1001. This will ensure that even if a container escape happens, the attacker would not be able to do anything useful in the system.

Container Security

Non-root user and group

What did you think of this doc?

Start with GraphQL on Hasura for Free

Container Security

Non-root user and group​

What did you think of this doc?

Start with GraphQL on Hasura for Free

Non-root user and group