Skip to main content
Version: v2.x

Container Security

Non-root user and group

By default, all hasura/graphql-engine images come with a non-root user and group named hasura. Both the user ID (UID) and group ID (GID) for this non-root user are 1001.

We strongly recommend using this non-root user and group to run the graphql-engine container. This practice enhances system security and mitigates potential risks in the event of a future container escape vulnerability.

If you're using docker-compose, this can be done by implementing the user field like this:

version: '3.6'
services:
  graphql-engine:
    image: hasura/graphql-engine:v2.30.0
    user: 1001:1001
    ports:
      - '8080:8080'
Existing UID and GID

Since the non-root UID and GID is 1001, you will need to make sure that the host machine in which the container is running does not have an existing UID and GID that are 1001. This will ensure that even if a container escape happens, the attacker would not be able to do anything useful in the system.

The HasuraCon 2024 CFP is open!
Read morearrow-icon

Start with GraphQL on Hasura for Free

  • Build apps and APIs 10x faster
  • Built-in authorization and caching
  • 8x more performant than hand-rolled APIs
Try GraphQL with Hasura
Promo
Loading...