Use non-root user in scratch docker image

#docker #security

It's considered best practice to use non-root user in docker images, even if it's built from scratch image.

But in scratch image it's really empty, you can't use commands like useradd to create a non-root user.

We can use multi stage builders to achieve this.

FROM ubuntu:latest
RUN useradd -u 10001 scratchuser
FROM scratch
COPY dosomething /dosomething
COPY --from=0 /etc/passwd /etc/passwd
USER scratchuser
ENTRYPOINT ["/dosomething"]

How can we verify it? In order to verify, we need id command to check if the user is set correctly. We can copy the commands from busybox.

FROM busybox:1.35.0-uclibc as busybox

COPY --from=busybox /bin/sh /bin/sh
COPY --from=busybox /bin/id /bin/id

And now we can use docker exec to run the id command to verify if it works.

Top comments (0)

5 Cheap Ways to Host Redis

Jonas Scholz - Jun 25

Retro on "Docker Compose for Developers"

Amanda Guan - Jun 23

Understanding Kubernetes: Why It's Essential for Modern Applications

Jensen Jose - Jun 20

Top 5 Docker Alternatives for Software Developers in 2024

Luna Miller - Jun 20

DEV Community