nobody & nonroot user in distroless images - Docker

Will
September 1, 2022
244 views
0 votes
2 Answers

> docker run --rm --entrypoint cat gcr.io/distroless/nodejs:debug /etc/passwd
root:x:0:0:root:/root:/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/sbin/nologin
nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin

If you run the image without a USER instruction in your Dockerfile the image runs as uid=0(root) gid=0(root).

I would like to avoid this and use an unprivileged user.

Other than nobody not having a /home directory, what is the difference between using USER nobody and USER nonroot in my Dockerfile ?

Answers

Chosen as BEST ANSWER
- Will
- December 15, 2022 at 3:42 pm
- 0 votes
0
The best practice seems to be using nonroot user.

references :
- https://github.com/GoogleContainerTools/distroless/issues/332
- https://wiki.ubuntu.com/nobody

(Edit)

- Iman
- December 15, 2022 at 1:44 pm
- 0 votes
0
There are 2 type of distroless images which can be used in production:

with latest tag
This image say, gcr.io/distroless/base by default has "Config.User: 0" and "Config.WorkingDir: /" config in it and if you don’t use USER for switching the user to nonroot user which is defined in it or it will start container with root user.

with nonroot tag
This image say, gcr.io/distroless/base:nonroot by default has "Config.User: 65532" and "Config.WorkingDir: /home/nonroot" config in it and there is no need to use USER for changing user to non-root user.
PS: maybe you need to change ownership of copied files in multistage build to nonroot user.

nobody user
purpose of nobody user in not related to distroless images and it’s about Linux itself which described here very well

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

nobody & nonroot user in distroless images – Docker

Answers