Closed kusaeva closed 9 months ago
Our image is based on gcr.io/distroless/cc-debian11
which does not include a shell by default.
You could do something like this
FROM busybox
FROM <buildbuddy-image>
COPY --from=0 /bin/ /bin/
which would add busybox
to the final image as a shell.
Son's suggestion is great especially if you already have a Dockerfile and/or want to add other things to the docker image.
If all you want to do is run our image as non-root, you can alternatively just specify a non-root numeric user ID and group ID:
docker run --rm --user=1000:1000 gcr.io/flame-public/buildbuddy-app-onprem
BuildBuddy does not depend on $USER
or $HOME
(as far as I'm aware!) so a numeric uid/gid should be fine (no need to create a named user or provision a home directory). The advantage to this approach is that you preserve the distroless image, which has a reduced attack surface.
In kubernetes, this would be configured using securityContext
:
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
@sluongng @bduffany thank you both so much for your help!
Hello and thank you for great project! I have a question: is there a way to use non-root user in buildbuddy-app-onprem docker image? We have some security requirements, so I just try to do something like:
But got an error:
No
sh
in container. Is there a way to resolve this somehow? Thank you anyway!