Welcome to Software Development on Codidact!

Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.

Post History

50%

+0 −0

Q&A UID of nonroot user in distroless container images

You don't actually need the UID in that particular example. A more elegant solution would be to use the --chown option of the COPY directive. FROM bash:latest as builder RUN adduser adduser \ ...

posted 6mo ago by Iizuki‭

Answer

#1: Initial revision by

Iizuki‭ · 2024-05-30T12:51:51Z (6 months ago)

Copy Link

Raw

Markdown

You don't actually need the UID in that particular example.

A more elegant solution would be to use the `--chown` option of the [COPY](https://github.com/containers/common/blob/main/docs/Containerfile.5.md#format) directive.

```containerfile
FROM bash:latest as builder

RUN adduser adduser \
  --disabled-password \
  --gecos "" \
  --home "/nonexistent" \
  --shell "/sbin/nologin" \
  --no-create-home \
  "nonroot"
USER nonroot

WORKDIR /app

# Simulating a build here
RUN echo binary > executable


# A distroless base image for static executables.
# It uses the nonroot user:
# https://edu.chainguard.dev/chainguard/chainguard-images/reference/glibc-dynamic/image_specs/
FROM cgr.dev/chainguard/cc-dynamic:latest

WORKDIR /app

# This eliminates the need for UIDs.
COPY --from builder --chown=nonroot /app/executable ./

CMD "/app/executable"
```

Communities

Post History