How do I run my Go application in the scratch container as the user "nobody?"

Asked 25/10, 2014 at 10:48 Answered 26/5, 2021 at 11:29

I don't want to run anything in a docker container as root. And I want minimalistic images.

I can run my compiled Go app in the scratch-image without a problem. But when I don't want it to run as root (i assume its running as root) and define USER nobody in the dockerfile I get

014/10/25 06:07:10 Error response from daemon: Cannot start container 
4822f34e54e20bb580f8cd1d38d7be3c828f28595c2bebad6d827a17b4c2fe21: 
finalize namespace setup user get supplementary groups Unable to find user nobody

here is my dockerfile

FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001

EDIT ------------

turns out that scratch is empty, very empty.

RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.

i ll use debian as i don't wont to run anything as root within a container because ...

Treat root within a container as if it is root outside of the container

Corruptible answered 25/10, 2014 at 10:48 Comment(1)

Use COPY instead of ADD. It is official recommendation. – Engrave 26/5, 2021 at 5:12

-1

turns out that scratch is empty, very empty.

RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.

i ll use debian as i don't wont to run anything as root within a container because ...

Treat root within a container as if it is root outside of the container

http://opensource.com/business/14/7/docker-security-selinux

Corruptible answered 26/10, 2014 at 17:47 Comment(1)

Accept what answers the question, not what you ended up doing. – Engrave 26/5, 2021 at 5:21

The solution is to use multi-stage build and copy /etc/passwd, as explained in this nice blog-post by Liz Rice.

Filberte answered 23/12, 2018 at 12:3 Comment(1)

Maybe people mistakenly voted this as "link-only" answer, but that's not the case. Idan, I made an edit to put the solution first so there's little room for doubt.. – Leekgreen 23/12, 2018 at 12:48

Create a file with the following content and COPY it into the scratch container as /etc/passwd.

nobody:*:65534:65534:nobody:/_nonexistent:/bin/false

You can COPY /bin/false as well; or you don’t, in which case, attempts to log in as nobody will simply just fail.

su: failed to execute /bin/false: No such file or directory

Bestiality answered 26/5, 2021 at 11:29 Comment(0)

Before the USER command, add this line: ADD passwd.minimal /etc/passwd

With the following line in the file passwd.minimal: nobody:x:65534:65534:Nobody:/:

Bain answered 24/11, 2014 at 20:44 Comment(2)

Use COPY instead of ADD. It is official recommendation. – Engrave 26/5, 2021 at 5:13

The passwd record is not secure. Its home-dir field is the root directory, and login-shell field is empty, which defaults to /usr/bin/sh (if exists in the scratch container). – Engrave 26/5, 2021 at 10:22

-1

turns out that scratch is empty, very empty.

RUN useradd would execute /bin/sh -c useradd but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero.

i ll use debian as i don't wont to run anything as root within a container because ...

Treat root within a container as if it is root outside of the container

http://opensource.com/business/14/7/docker-security-selinux

Corruptible answered 26/10, 2014 at 17:47 Comment(1)

Accept what answers the question, not what you ended up doing. – Engrave 26/5, 2021 at 5:21

-3

You still have to add the user before you can use it with the USER command.

FROM scratch
ADD lichtpunkt_go_linux_amd64 /lichtpunkt_go_linux_amd64
ADD web /web
RUN useradd nobody
USER nobody
CMD ["./lichtpunkt_go_linux_amd64"]
EXPOSE 3001

Comras answered 26/10, 2014 at 14:51 Comment(1)

turns out that scratch is empty. RUN useradd would execute /bin/sh -c. but there is no /bin/sh . RUN ["useradd"] would exec directly. but there is no useradd. i d have to add rootfs.tar and build stuff from zero. i ll use debian. thx – Corruptible 26/10, 2014 at 17:42

Recommended topics

Hot tags