2

From this reading on https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines in the section Support Arbitrary User IDs. It's recommended for:

  • an image to support running an arbitrary user
  • an image to make directories and files own by root group
  • an image to declare USER with the user id, not the username

Example:

RUN chgrp -R 0 /some/directory && \
    chmod -R g=u /some/directory
RUN chmod g=u /etc/passwd
ENTRYPOINT [ "uid_entrypoint" ]
USER 1001

I'm not clear with what all these mean.

  • Where is user 1001 defined?
  • What does g=u mean?
  • What does group 0 mean?

  • I've specified in my image the below to create a new user and group, and run processes as that user (non-root). Is this wrong? Can someone please help explain and provide examples - what is the correct way of doing it?

    RUN useradd -M nonroot \
    && groupadd nonrootgr \
    && chown -R nonroot:nonrootgr /var/lib/myapp

USER nonroot
His
  • 5,891
  • 15
  • 61
  • 82

1 Answers1

3

Where is user 1001 defined?

You need to create a non root user account with that user ID.

See: https://github.com/sclorg/s2i-base-container/blob/master/core/Dockerfile#L71

What does g=u mean?

It sets the group permissions for the directory/file to the same as what the user has.

What does group 0 mean?

The root group has group ID of 0.

I've specified in my image the below....*

See the linked example above for how to add non root user.

You must use:

USER 1001

You cannot use an account name as value for USER, it must be an integer value.

Graham Dumpleton
  • 57,726
  • 6
  • 119
  • 134