Use non-root user in scratch docker image

#docker #security

It's considered best practice to use non-root user in docker images, even if it's built from scratch image.

But in scratch image it's really empty, you can't use commands like useradd to create a non-root user.

We can use multi stage builders to achieve this.

FROM ubuntu:latest
RUN useradd -u 10001 scratchuser
FROM scratch
COPY dosomething /dosomething
COPY --from=0 /etc/passwd /etc/passwd
USER scratchuser
ENTRYPOINT ["/dosomething"]

How can we verify it? In order to verify, we need id command to check if the user is set correctly. We can copy the commands from busybox.

FROM busybox:1.35.0-uclibc as busybox

COPY --from=busybox /bin/sh /bin/sh
COPY --from=busybox /bin/id /bin/id

And now we can use docker exec to run the id command to verify if it works.

Top comments (0)

10 Best Practices for Writing Maintainable Docker Compose Files

Wallace Freitas - Oct 16

Fast multi-arch Docker build for Rust projects

vladkens - Oct 5

Beginner’s Guide to AES Encryption and Decryption in JavaScript using CryptoJS

Shubham Khan - Oct 16

A Critical Fix for a 5-Year Old Vulnerability through Docker's Security Patch

Dr. Vamsi Mohan Vandrangi - Sep 12

DEV Community