TheLazy.Dev
Portfolio GitHub

Blog

docker |security

Use non-root user in scratch docker image

hsatac

Ash Wu

Posted on June 7, 2024

Use non-root user in scratch docker image

It's considered best practice to use non-root user in docker images, even if it's built from scratch image.

But in scratch image it's really empty, you can't use commands like useradd to create a non-root user.

We can use multi stage builders to achieve this.

FROM ubuntu:latest
RUN useradd -u 10001 scratchuser
FROM scratch
COPY dosomething /dosomething
COPY --from=0 /etc/passwd /etc/passwd
USER scratchuser
ENTRYPOINT ["/dosomething"]
Enter fullscreen mode Exit fullscreen mode

How can we verify it? In order to verify, we need id command to check if the user is set correctly. We can copy the commands from busybox.

FROM busybox:1.35.0-uclibc as busybox

COPY --from=busybox /bin/sh /bin/sh
COPY --from=busybox /bin/id /bin/id
Enter fullscreen mode Exit fullscreen mode

And now we can use docker exec to run the id command to verify if it works.

💖 💪 🙅 🚩
hsatac
Ash Wu

Posted on June 7, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Exploring Podman and Beyond: Open Source Alternatives to Docker for Secure Containerization
opensource Exploring Podman and Beyond: Open Source Alternatives to Docker for Secure Containerization

November 28, 2024

Container Security Scanning: Vulnerabilities, Risks and Tooling
opensource Container Security Scanning: Vulnerabilities, Risks and Tooling

October 7, 2024

Mastering Docker: Essential Best Practices for Efficiency and Security👮🏻
docker Mastering Docker: Essential Best Practices for Efficiency and Security👮🏻

November 1, 2024

Spring Boot with Docker and Kubernetes: Containerizing and Deploying Your Java Applications
spring Spring Boot with Docker and Kubernetes: Containerizing and Deploying Your Java Applications

October 30, 2024

Nodejs | Docker | Multi-stage
node Nodejs | Docker | Multi-stage

October 9, 2024