New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to add a directory where non-root user can write #427
Comments
You can use COPY --from=source --chown=java:java /opt /opt |
Thanks! Works like a charm (once I also copied /etc/group) |
@fhoeben You don't need to create separate user - distroless image is already included COPY --from=source --chown=65532:65532 /opt /opt |
@jugatsu Is this user also present in passwd file in distroless Java? |
Yes, user is present. Do you successfully build image with docker run --rm -it --entrypoint=sh gcr.io/distroless/java:11-debug
/ # cat /etc/passwd
root:x:0:0:root:/root:/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/sbin/nologin
nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin
/ # cat /etc/group
root:x:0:
nobody:x:65534:
tty:x:5:
staff:x:50:
nonroot:x:65532: |
I was able to build the image, but then when I tried to start it (using docker-compose) I got the 'unable to find user'. |
FROM openjdk:11-jdk-slim AS build-env
ADD . /app/examples
WORKDIR /app
RUN javac examples/*.java
RUN jar cfe main.jar examples.HelloJava examples/*.class
FROM gcr.io/distroless/java:11
COPY --from=build-env --chown=nonroot:nonroot /app /app
WORKDIR /app
USER nonroot
CMD ["main.jar"]
docker run --rm hello-java
Hello world It works for me. @fhoeben Could you provide your Dockerfile please. |
@jugatsu I must apologise. It's embarrassing but I found why it didn't work for me. It was totally my own fault. |
@fhoeben Is everything working as expected? |
Yes. Thanks a lot for your support! |
I would like to build my own image based on distroless java, using a Dockerfile, and add a directory where my application can write when it runs as a non-root user.
I don't seem to able to do this. I'm probably missing something obvious, but I just don't see it right now. So I'm hoping somebody might be able to point me in the right direction.
To be a bit more specific I would like to have an image based in distroless where my application runs as (normal, non-root) user 'java' and can write files in a directory '/opt'.
I tried creating a multi-stage docker file where I first create the user and the directory with the right permissions and then copy those to the distroless environment. But in that image the directory /opt will be owned by root and my java user does not have permission to write a new file.
The text was updated successfully, but these errors were encountered: