The deployment system as a whole is a lot more secure if an application in a docker container is not running as root.
These are the facts:
-
a dockerized environment is not a virtual machine, so docker security is equivalent to the security of the host
-
there is a reason why only the Docker daemon runs as root and brings a lot of security mechanisms with it to defend against containers that want to escalate privileges. Only with kernel namespaces you can tackle the challenge to isolate dockerized applications https://docs.docker.com/engine/security/security/ Running as root breaks the principle of isolation, and without isolation, no security. The container infrastructure will get compromised if not secured well.
-
it's a common misconception that docker root user is safe just because the docker container can only access storage mounted to the container. What? It' s not a storage mount problem. It's a privilege problem based on kernel capabilities for the root user regarding signals, drivers, devices, and process control, even the BIOS and the system boot routine. If you are root, well then you can do whatever you want. Many attack vectors are lurking when a privileged root user runs an application in a container.
-
in the stone age of Linux, the kernel had no capability feature. Back then, you had to use the root user for even ordinary system management. These times are gone. For over a decade it's common to assign capabilities to non-root users. Even if applications want to access signals, drivers, devices, processes, they can have full control when properly being set up running as a non-root user with the exact capabilities needed. In addition to that, the Linux kernel comes with security extensions like grsec, and SELinux adds another layer of security.
-
There is no requirement for Elasticsearch to run as root user at all. Elasticsearch is not designed to be operating system specific, it does not require access to operating system specific hardware functions. All functions operate through the Java virtual machine (JVM). The JVM API is portable and hides the operating system specific APIs.
The decision not to run as root is not an option for the deployment department, it's an obligation for everyone who runs applications. This holds also for applications in docker containers. The only difference running docker is you have to ensure the same level of security for the host and the docker containers as well.