Non-root user and group
By default, all
hasura/graphql-engine images come with a non-root user and group named
hasura. Both the user ID
(UID) and group ID (GID) for this non-root user are
We strongly recommend using this non-root user and group to run the
graphql-engine container. This practice enhances
system security and mitigates potential risks in the event of a future container escape vulnerability.
If you're using docker-compose, this can be done by implementing the
user field like this:
Since the non-root UID and GID is
1001, you will need to make sure that the host machine in which the container is
running does not have an existing UID and GID that are
1001. This will ensure that even if a container escape happens, the
attacker would not be able to do anything useful in the system.