DEV Community

Ash Wu
Ash Wu

Posted on

2

Use non-root user in scratch docker image

It's considered best practice to use non-root user in docker images, even if it's built from scratch image.

But in scratch image it's really empty, you can't use commands like useradd to create a non-root user.

We can use multi stage builders to achieve this.

FROM ubuntu:latest
RUN useradd -u 10001 scratchuser
FROM scratch
COPY dosomething /dosomething
COPY --from=0 /etc/passwd /etc/passwd
USER scratchuser
ENTRYPOINT ["/dosomething"]
Enter fullscreen mode Exit fullscreen mode

How can we verify it? In order to verify, we need id command to check if the user is set correctly. We can copy the commands from busybox.

FROM busybox:1.35.0-uclibc as busybox

COPY --from=busybox /bin/sh /bin/sh
COPY --from=busybox /bin/id /bin/id
Enter fullscreen mode Exit fullscreen mode

And now we can use docker exec to run the id command to verify if it works.

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read full post →

Top comments (0)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more