Docker user as root for Azure App Service

Question

Docker is usually supposed to be run as a non-root user for production applications. My understanding is that this is because having root access in the container also gives you root access on the server.

Does the same apply when deploying through Azure's app service? I don't understand the difference between having a root user on a server vs. a container service.

Answer 1

App Service uses port 2222 for SSH into your app's container, but that doesn't mean that port 2222 is exposed over the Internet. No matter how you use SSH in your app, all SSH traffic is handled through an endpoint on port 443.

-As a side note, if you're not using SSH, you don't have to worry about closing port 2222 because it's not exposed to the Internet.

The root password must be exactly Docker! as it is used by App Service to let you access the SSH session with the container. This configuration doesn't allow external connections to the container.

(Port 2222 of the container is accessible only within the bridge network of a private virtual network and is not accessible to an attacker on the internet.)

In order to access the SSH port, as one must first login to the Kudu container via HTTPS/it's not exposed to the Internet.

Linux apps in App Service run in their own containers. No access to the host operating system is allowed, you do have root access to the container. Likewise, for apps running in Windows containers, you have administrative access to the container but no access to the host operating system.

See, these docs for more details: tutorial-custom-docker-image and configure-custom-container