I don't want to run anything in a docker container as root. And I want minimalistic images.
I can run my compiled Go app in the scratch-image without a problem. But when I don't want it to run as root (i assume its running as root) and define USER nobody in the dockerfile I get
014/10/25 06:07:10 Error response from daemon: Cannot start container
4822f34e54e20bb580f8cd1d38d7be3c828f28595c2bebad6d827a17b4c2fe21:
finalize namespace setup user get supplementary groups Unable to find user nobody
here is my dockerfile
FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001
EDIT ------------
turns out that scratch is empty, very empty.
RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.
i ll use debian as i don't wont to run anything as root within a container because ...
Treat root within a container as if it is root outside of the container
turns out that scratch is empty, very empty.
RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.
i ll use debian as i don't wont to run anything as root within a container because ...
Treat root within a container as if it is root outside of the container
You still have to add the user before you can use it with the USER command.
FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
RUN useradd nobody
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001
Before the USER command, add this line:
ADD passwd.minimal /etc/passwd
With the following line in the file passwd.minimal:
nobody:x:65534:65534:Nobody:/:
The solution is to use multi-stage build and copy /etc/passwd, as explained in this nice blog-post by Liz Rice.