Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add non-root user 'app' to all images #57

Merged
merged 4 commits into from Dec 5, 2022
Merged

Add non-root user 'app' to all images #57

merged 4 commits into from Dec 5, 2022

Conversation

brunoborges
Copy link
Member

@brunoborges brunoborges commented Nov 29, 2022
edited

This PR adds a non-root user, named app.
Consumers of the image may choose to run Java applications with a non-root user.
By default, the image still runs as root.

Example of a consuming Dockefile:

FROM mcr.microsoft.com/openjdk/jdk:17-distroless
ADD target/myapp.jar /myapp.jar
USER app
CMD ["-jar", "/myapp.jar"]

This was referenced Nov 29, 2022
Closed
Closed
karianna
karianna approved these changes Nov 29, 2022
View reviewed changes
Copy link
Member

@karianna karianna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@brunoborges
Copy link
Member Author

@joe-braley can you please write some tests on these images to check if they really run as app if the consuming image has USER app ?

joe-braley
joe-braley approved these changes Dec 1, 2022
View reviewed changes
Copy link
Contributor

@joe-braley joe-braley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving since looks good. Though I do have a question for some of the docker files.

docker/distroless/Dockerfile.msopenjdk-11-jdk
@@ -20,6 +20,15 @@ RUN mkdir -p /usr/lib/jvm && \
RUN mkdir /staging \
&& tdnf install -y --releasever=2.0 --installroot /staging zlib

# Create a non-root user and group (just like .NET's image)
RUN tdnf install -y gawk shadow-utils \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: Do we want to run a tdnf clean all after the tdnf install?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question for the other tdnf commands through out. I think that might help clean out any temp files and caches. But if there are not any then adding that command might not do anything useful.

@joe-braley
Copy link
Contributor

@joe-braley can you please write some tests on these images to check if they really run as app if the consuming image has USER app ?

Sure! I will create a ticket to track this internally.

@brunoborges brunoborges assigned brunoborges and unassigned joe-braley Dec 5, 2022
@brunoborges brunoborges merged commit eccade7 into main Dec 5, 2022
@brunoborges brunoborges mentioned this pull request Mar 16, 2023
Closed
@brunoborges brunoborges deleted the non-root-user branch June 5, 2023 20:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@karianna karianna karianna approved these changes

@joe-braley joe-braley joe-braley approved these changes

@d3r3kk d3r3kk Awaiting requested review from d3r3kk

Assignees

@brunoborges brunoborges

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@brunoborges @joe-braley @karianna