Home
%3CLINGO-SUB%20id%3D%22lingo-sub-859644%22%20slang%3D%22en-US%22%3ENon-Root%20SQL%20Server%202019%20Containers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-859644%22%20slang%3D%22en-US%22%3E%3CP%3ESQL%20Server%202019%20containers%20makes%20it%20easier%20and%20simpler%20to%20work%20with%20data%2C%20and%20monthly%20preview%20releases%20offer%20the%20latest%20innovation%20and%20improvements.%20In%20addition%20to%20feature%20additions%20and%20performance%20improvements%2C%20we%20are%20also%20going%20to%20make%20SQL%20Server%202019%20containers%20safer%20by%20starting%20the%20SQL%20Server%20process%20as%20a%20non-root%20user%20by%20default.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20application%20process%20within%20most%20Docker%20containers%20is%20running%20as%20a%20root%20user%20meaning%20the%20process%20has%20root%20privileges%20within%20the%20container%20user%20space.%20The%20root%20user%20within%20the%20container%20is%20also%20the%20same%20root%20(uid%200)%20on%20the%20host%20machine%2C%20and%20if%20the%20user%20can%20break%20out%20of%20the%20container%2C%20they%20would%20have%20root%20permissions%20on%20the%20host.%20Running%20as%20root%20is%20convenient%20for%20development%2C%20testing%20and%20CI%2FCD%20use%20cases%20but%20for%20production%20use%20cases%2C%20it%20is%20safest%20to%20run%20SQL%20Server%20as%20a%20non-root%20process%20within%20the%20container.%20In%20this%20blog%2C%20we%E2%80%99re%20going%20to%20share%20with%20you%20how%20you%20can%20preview%20this%20upcoming%20improvement%20by%20creating%20your%20own%20non-root%20SQL%20Server%20container.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId-1428222520%22%20id%3D%22toc-hId-1428222520%22%3EBuild%20and%20run%20SQL%20Server%20containers%20as%20a%20non-root%20user%3C%2FH4%3E%0A%3CP%3EFollow%20the%20steps%20below%20to%20build%20a%20SQL%20Server%202019%20container%20that%20starts%20up%20as%20the%26nbsp%3B%3CEM%3Emssql%3C%2FEM%3E%20user.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ERun%20the%20following%20command%20to%20build%20the%20non-root%20SQL%20Server%20container%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Edocker%20build%20-t%202019-latest-non-root%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fmssql2019-non-root%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fmssql2019-non-root%3C%2FA%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3EStart%20the%20container%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Edocker%20run%20-e%20%22ACCEPT_EULA%3DY%22%20-e%20%22SA_PASSWORD%3DMyStrongP%40ssword%22%20--name%20sql1%20-p%201433%3A1433%20-d%202019-latest-non-root%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3ECheck%20that%20the%20container%20is%20running%20as%20a%20non-root%20user%20by%20first%20using%20%3CEM%3Edocker%20exec%3C%2FEM%3E%20to%20go%20into%20the%20context%20within%20the%20container.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Edocker%20exec%20-it%20sql1%20bash%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%225%22%3E%0A%3CLI%3ERun%20%3CEM%3Ewhoami%3C%2FEM%3E%20which%20will%20return%20the%20user%20running%20within%20the%20container.%20Notice%20that%20the%20user%20is%20%3CEM%3Emssql.%3C%2FEM%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Ewhoami%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20containers%20improve%20the%20way%20we%20develop%2C%20deploy%20and%20run%20SQL%20Server%2C%20it%20is%20important%20that%20we%20are%20using%20the%20best%20security%20practices%20in%20production.%20Non-root%20SQL%20Server%202019%20containers%20will%20enable%20you%20to%20run%20workloads%20safer%20in%20production.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheck%20out%20our%20docs%20on%20how%20you%20can%20learn%20more%20about%20working%20with%20SQL%20Server%20containers%20permissions%20at%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-configure-docker%3Fview%3Dsql-server-2017%23buildnonrootcontainer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-configure-docker%3Fview%3Dsql-server-2017%23buildnonrootcontainer%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-859644%22%20slang%3D%22en-US%22%3E%3CP%3ESQL%20Server%202019%20containers%20makes%20it%20easier%20and%20simpler%20to%20work%20with%20data.%20In%20addition%20to%20the%20latest%20innovation%20and%20improvements%2C%20we%20are%20also%20going%20to%20make%20SQL%20Server%202019%20containers%20safer%20by%20starting%20the%20SQL%20Server%20process%20as%20non-root%20user%20by%20default.%20Read%20this%20blog%20to%20learn%20more.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-859644%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESQLServerTiger%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

SQL Server 2019 containers makes it easier and simpler to work with data, and monthly preview releases offer the latest innovation and improvements. In addition to feature additions and performance improvements, we are also going to make SQL Server 2019 containers safer by starting the SQL Server process as a non-root user by default.

 

The application process within most Docker containers is running as a root user meaning the process has root privileges within the container user space. The root user within the container is also the same root (uid 0) on the host machine, and if the user can break out of the container, they would have root permissions on the host. Running as root is convenient for development, testing and CI/CD use cases but for production use cases, it is safest to run SQL Server as a non-root process within the container. In this blog, we’re going to share with you how you can preview this upcoming improvement by creating your own non-root SQL Server container.

 

Build and run SQL Server containers as a non-root user

Follow the steps below to build a SQL Server 2019 container that starts up as the mssql user.

 

  1. Run the following command to build the non-root SQL Server container

 

 

docker build -t 2019-latest-non-root https://aka.ms/mssql2019-non-root

 

 

 

  1. Start the container

 

 

 

docker run -e "ACCEPT_EULA=Y" -e "SA_PASSWORD=MyStrongP@ssword" --name sql1 -p 1433:1433 -d 2019-latest-non-root

 

 

 

  1. Check that the container is running as a non-root user by first using docker exec to go into the context within the container.

 

 

 

docker exec -it sql1 bash

 

 

 

 

  1. Run whoami which will return the user running within the container. Notice that the user is mssql.

 

 

 

whoami

 

 

 

As containers improve the way we develop, deploy and run SQL Server, it is important that we are using the best security practices in production. Non-root SQL Server 2019 containers will enable you to run workloads safer in production.

 

Check out our docs on how you can learn more about working with SQL Server containers permissions at

https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-configure-docker?view=sql-server-2017#bu...