set default user to non-root #460
Conversation
|
thanks, this was brought up previously with the Docker official images maintainers and the answer was to keep the default user as root, unfortunately I cannot find the issue where this was brought up |
|
Here it is: #8 (comment) This would mean any user runs as root or need to inherit from this image to run as non-root. What about to make it secure by default and open to run as root? (inverse the current behaviour + docs) |
|
this comment here from official images mantainers |
|
Hmm. Do you think of ur image rather a base image or an enduser image? When you answer base image, I would offer to add an non-root image besides your base image. |
|
it is a base image, I could add a nonroot image, but would need to somehow be generated as I don't want to maintain 2x the images |
|
Is there already some parameterization system in place which might allow this repo to publish an alternate set of tags that would switch to a nonroot user? As it stands, this image is podTemplate(yaml: '''
apiVersion: v1
kind: Pod
spec:
containers:
- name: maven
image: maven
command:
- sleep
args:
- infinity
securityContext:
runAsUser: 1000
env:
- name: MAVEN_OPTS
value: -Duser.home=/home/jenkins/agent
''') {
node(POD_LABEL) {
git 'https://github.com/jglick/simple-maven-project-with-tests'
container('maven') {
sh 'mvn -B -ntp compile'
}
}
}or if you prefer podTemplate(containers: [containerTemplate(name: 'maven', image: 'maven', command: 'sleep', args: 'infinity', runAsUser: '1000', envVars: [envVar(key: 'MAVEN_OPTS', value: '-Duser.home=/home/jenkins/agent')])]) {
// … as before
} |
|
There is some code generation here Would need something to create new dies for the nonroot variants |
Runs the container as user different from root for security reasons.
See https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user