Minimal, safe solution for running docker processes as a non-root user.
Typically used with tini
(see below) to provide a well-managed environment for running applications or scripts within docker. tini
provides process management and resu
performs the privilege reduction.
The combination can be used for safer server management or to ensure created files in mounted volumes are owned by the correct user. (As when using mkdo to create build environments.)
First, instrument your favorite, minimalist docker image by installing tini
and resu
and using them as your Docker's entrypoint:
FROM debian:11.0
ENV TINI_VERSION v0.19.0
ENV RESU_VERSION 0.3.0
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /sbin/tini
ADD https://github.com/ben--/resu/releases/download/${RESU_VERSION}/resu /sbin/resu
RUN chmod +x /sbin/tini /sbin/resu
ENTRYPOINT ["/sbin/tini", "--", "/sbin/resu", "nobody:nogroup", "--"]
Then, run your normal application either using the CMD
Dockerfile directive or by putting a command on the docker run
command line.
A special version is provided for Alpine users that leverages musl-libc:
FROM alpine
ENV TINI_VERSION v0.19.0
ENV RESU_VERSION 0.3.0
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-static /sbin/tini
ADD https://github.com/ben--/resu/releases/download/${RESU_VERSION}/resu-alpine /sbin/resu
RUN chmod +x /sbin/tini /sbin/resu
ENTRYPOINT ["/sbin/tini", "--", "/sbin/resu", "nobody:nogroup", "--"]
$ resu --help
usage: resu user:group -- cmd [args...]
Both user and group are mandatory. They can either be names or numeric identifiers. If they are names, then they must be available in /etc/passwd
or /etc/group
within the docker.
The second argument to resu
is a double-dash after which the nested command and its arguments follow.