General security practices say you run with the least privileges required,

network daemons are particularly at risk when running as root as a bug in the daemon will give a remote attacker root access in the container, it's easier then to break out with root access on the host. Docker says in https://docs.docker.com/engine/security/security/#conclusions "Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users inside the container." add user osrm and package su-exec and change example to use it
2018-07-16 23:42:33 +00:00 · 2018-07-16 23:42:33 +00:00 · 9026cb10f9
commit 9026cb10f9
parent f928956584
2 changed files with 3 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -67,7 +67,7 @@ The flag `-v $(pwd):/data` creates the directory `/data` inside the docker conta

 Note that `berlin-latest.osrm` has a different file extension. 

-    docker run -t -i -p 5000:5000 -v $(pwd):/data osrm/osrm-backend osrm-routed --algorithm mld /data/berlin-latest.osrm
+    docker run -t -i -p 5000:5000 -v $(pwd):/data osrm/osrm-backend su-exec osrm osrm-routed --algorithm mld /data/berlin-latest.osrm

 Make requests against the HTTP server

--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -37,7 +37,8 @@ FROM alpine:3.6 as runstage
 RUN mkdir -p /src  && mkdir -p /opt
 RUN echo "@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \
    apk update && \
-    apk add boost-filesystem boost-program_options boost-regex boost-iostreams boost-thread libgomp lua5.2 expat libtbb@testing
+    apk add boost-filesystem boost-program_options boost-regex boost-iostreams boost-thread libgomp lua5.2 expat libtbb@testing su-exec
+RUN adduser -D osrm
 COPY --from=buildstage /usr/local /usr/local
 COPY --from=buildstage /opt /opt
 WORKDIR /opt