It's considered best practice to use non-root user in docker images, even if it's built from scratch image.
But in scratch image it's really empty, you can't use commands like useradd to create a non-root user.
We can use multi stage builders to achieve this.
FROM ubuntu:latest
RUN useradd -u 10001 scratchuser
FROM scratch
COPY dosomething /dosomething
COPY --from=0 /etc/passwd /etc/passwd
USER scratchuser
ENTRYPOINT ["/dosomething"]
How can we verify it? In order to verify, we need id
command to check if the user is set correctly. We can copy the commands from busybox
.
FROM busybox:1.35.0-uclibc as busybox
COPY --from=busybox /bin/sh /bin/sh
COPY --from=busybox /bin/id /bin/id
And now we can use docker exec
to run the id
command to verify if it works.
Top comments (0)