You’ve probably already read that some Docker images were released with null passwords. This could have easily led to serious security issues on any container you might have deployed with that pulled image.
Although this isn’t typical, you might want your containers to deploy with a heightened sense of security. While this may not be the best solution for every container you work with, it is possible to change a root user password on an image. It can be tricky, because some images depend on a set password for the root user. However, if you plan on doing a lot of in-house development, you certainly don’t want to base those containers on images with weak security.
SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)
To that end, I want to show you how you can change the root password on an running container and then commit that change the image.
I’ll demonstrate with the official CentOS image. You should be able to do this with any of the official Linux distribution images from DockerHub (or any you created on your own). I will assume you already have Docker up and running.
Deploying the container
The first thing to do is deploy the CentOS container, based on the official image. This is done with the command:
docker run -it centos
When that command completes (it might have to first pull down the CentOS image), you’ll find yourself at the bash prompt for the root user. Issue the command:
cat /etc/shadow | grep root
You should see the root user doesn’t include a hashed password (Figure A).
Let’s change that. Issue the command:
When prompted, type and verify a new password for the root user. When that completes, you can issue the cat /etc/shadow | grep root command to see the root user now has a hashed password.
Committing the change
Back at your regular bash prompt (outside of the container), you have to commit the change to the image (otherwise you’ll just deploy more containers with the same lack of password). To commit our change issue the command:
docker commit CONTAINER_ID NEW_IMAGE_NAME
Where CONTAINER_ID is the ID of the container for which you changed the root password, and NEW_IMAGE_NAME is a unique name for the new image. If you’re unsure of what the ID is, issue the command docker ps -a. You don’t have to use the full container ID, just the first four characters will suffice.
Checking the new image
In order to see if this worked, deploy a new container with the new image, like so:
docker run -it NEW_IMAGE_NAME
Where NEW_IMAGE_NAME is the new name for the image.
You’ll find yourself inside the newly deployed container. Issue the command:
cat /etc/shadow | grep root
You should see that the root password is hashed (Figure B).
Exit out of that container, and you are now ready to start rolling out other containers, based on your newly changed CentOS image.
As I mentioned, this method might not work for every occasion. You might run into an instance where someone built a very specific image (for a specific purpose), and the root password must remain unchanged. But for those containers you want to deploy, which are based on official base images (such as CentOS, Ubuntu, Debian, etc.) you can change that root password to something strong, and rest easier knowing that root password has been changed.