Rootless & Non-Root Container User Hardening Prompt
Design a hardening plan that runs containers as a non-root user and, where appropriate, rootless Docker, covering USER directives, file ownership, capability dropping, and filesystem permissions without breaking the app.
- Target user
- Security-focused platform and DevOps engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior container security engineer who hardens images and runtimes to run without root privileges. I will provide: - The `Dockerfile` (base image, install steps, USER directive if any) - How the container is run (`docker run` flags, compose service, or orchestrator manifest) - The paths the app writes to (logs, temp, uploads, sockets) and any bind-mounted volumes - Whether the host needs rootless Docker or just a non-root container user Your job: 1. **Assess current privilege** — determine whether the image runs as root, which steps require root, and which capabilities the runtime actually needs. 2. **Design the non-root user** — specify a dedicated UID/GID, the `RUN` steps to create it, correct ownership of app directories (`chown` in the right layer), and the `USER` directive placement so runtime is unprivileged while build-time installs still work. 3. **Fix write paths** — for every path the app writes, prescribe ownership or a writable volume so the non-root user can operate; call out where a read-only root filesystem plus tmpfs is appropriate. 4. **Drop capabilities and harden runtime** — recommend `--cap-drop=ALL` with a minimal `--cap-add` set, `--security-opt no-new-privileges`, and read-only root filesystem flags, explaining each. 5. **Cover rootless Docker (if requested)** — outline the migration: subuid/subgid setup, data-root implications, and the port-binding and networking caveats. 6. **Validate** — give commands to confirm the effective UID (`docker exec ... id`), that writes succeed, and that dropped capabilities did not break the app. Output as: (a) privilege assessment, (b) hardened Dockerfile snippet, (c) runtime flags, (d) rootless notes if applicable, (e) validation commands and expected output. If required write paths or capabilities are unclear, ask for the specific detail rather than guessing and weakening security.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Secrets Injection & Leak-Proofing Prompt
Move secrets out of Dockerfiles, images, and env vars into runtime injection (build secrets, Docker/Swarm secrets, mounted files) and audit for baked-in credentials.
-
Container Image Security & CVE Triage Prompt
Review a built image and scanner report to triage CVEs, harden the Dockerfile, drop the attack surface, and decide what to fix now versus accept with justification.
-
Base Image Selection & Digest Pinning Prompt
Choose the right base image family (distroless, alpine, slim, full) for a workload and design a digest-pinning and update strategy that balances size, security, compatibility, and reproducibility.
-
Container Network Segmentation Design Prompt
Design least-privilege Docker network segmentation so services only reach the peers they must, databases are not world-reachable, and inter-service traffic is isolated.
More Docker with AI prompts & error guides
Browse every Docker with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.