How to add a directory where non-root user can write

[fhoeben]

I would like to build my own image based on distroless java, using a Dockerfile, and add a directory where my application can write when it runs as a non-root user.

I don't seem to able to do this. I'm probably missing something obvious, but I just don't see it right now. So I'm hoping somebody might be able to point me in the right direction.

To be a bit more specific I would like to have an image based in distroless where my application runs as (normal, non-root) user 'java' and can write files in a directory '/opt'.

I tried creating a multi-stage docker file where I first create the user and the directory with the right permissions and then copy those to the distroless environment. But in that image the directory /opt will be owned by root and my java user does not have permission to write a new file.

FROM busybox as source
RUN addgroup -S java \
    && adduser -u 10001 -S -G java java --shell /sbin/nologin \
    && mkdir /opt \
    && chown java:java /opt

FROM gcr.io/distroless/java:11
COPY --from=source /etc/passwd /etc/passwd
USER java
COPY --from=source /opt /opt
WORKDIR /opt

[jugatsu]

You can use --chown flag https://docs.docker.com/engine/reference/builder/#copy

COPY --from=source --chown=java:java /opt /opt

[fhoeben]

Thanks! Works like a charm (once I also copied /etc/group)

[jugatsu]

@fhoeben You don't need to create separate user - distroless image is already included nonroot user (65532:65532).

COPY --from=source --chown=65532:65532 /opt /opt

[fhoeben]

@jugatsu Is this user also present in passwd file in distroless Java?
When I refer to user 'nonroot' as user I get linux spec user: unable to find user nonroot: no matching entries in passwd file when starting my container

[jugatsu]

Yes, user is present. Do you successfully build image with nonroot user?

docker run --rm -it --entrypoint=sh gcr.io/distroless/java:11-debug
/ # cat /etc/passwd
root:x:0:0:root:/root:/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/sbin/nologin
nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin
/ # cat /etc/group
root:x:0:
nobody:x:65534:
tty:x:5:
staff:x:50:
nonroot:x:65532:

[fhoeben]

I was able to build the image, but then when I tried to start it (using docker-compose) I got the 'unable to find user'.
When I use my own custom 'java' user I do not have that problem

[jugatsu]

FROM openjdk:11-jdk-slim AS build-env
ADD . /app/examples
WORKDIR /app
RUN javac examples/*.java
RUN jar cfe main.jar examples.HelloJava examples/*.class

FROM gcr.io/distroless/java:11
COPY --from=build-env --chown=nonroot:nonroot /app /app
WORKDIR /app
USER nonroot
CMD ["main.jar"]

docker run --rm hello-java
Hello world

It works for me. @fhoeben Could you provide your Dockerfile please.

[fhoeben]

@jugatsu I must apologise. It's embarrassing but I found why it didn't work for me. It was totally my own fault.
I created my own base image (with the java user) and copied its /etc/passws into the distroless image. That, of course, overwrote the existing passwd file so no wonder the nonroot user no longer worked....

[jugatsu]

@fhoeben Is everything working as expected?

[fhoeben]

Yes. Thanks a lot for your support!