diff --git a/Distroless/distroless-base-nonroot/2.38/24.03-lts/Dockerfile b/Distroless/distroless-base-nonroot/2.38/24.03-lts/Dockerfile index 8c395293868c845cbf53a3b6861ded5b1ce956e0..1c7ea77abc827d0796e71d136e9071ebe3149dd2 100644 --- a/Distroless/distroless-base-nonroot/2.38/24.03-lts/Dockerfile +++ b/Distroless/distroless-base-nonroot/2.38/24.03-lts/Dockerfile @@ -1,26 +1,13 @@ ARG BASE=openeuler/openeuler:24.03-lts FROM ${BASE} as builder -WORKDIR /tmp - -RUN echo "root:x:0:0:root:/root:/sbin/nologin" > passwd && \ - echo "nobody:x:65534:65534:nobody:/nonexistent:/sbin/nologin" >> passwd && \ - echo "nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin" >> passwd - -RUN echo "root:x:0:" > group && \ - echo "nobody:x:65534:" >> group && \ - echo "tty:x:5:" >> group && \ - echo "staff:x:50:" >> group && \ - echo "nonroot:x:65532:" >> group - -RUN mkdir -p /home/nonroot && \ - chmod 700 /home/nonroot +RUN dnf install -y shadow-utils && \ + groupadd -g 65532 nonroot && \ + useradd -u 65532 -g 65532 -s /sbin/nologin nonroot FROM openeuler/distroless-base:2.38-oe2403lts -COPY --from=builder /tmp/passwd /etc/passwd -COPY --from=builder /tmp/group /etc/group -COPY --from=builder --chown=nonroot:nonroot /home/nonroot /home/nonroot +COPY --from=builder /etc/passwd /etc/passwd +COPY --from=builder /etc/group /etc/group -USER nonroot -WORKDIR /home/nonroot \ No newline at end of file +USER nonroot \ No newline at end of file diff --git a/Distroless/distroless-base-nonroot/README.md b/Distroless/distroless-base-nonroot/README.md new file mode 100644 index 0000000000000000000000000000000000000000..d8d78550a6f35340bc9d7da528a32db4ef418ed6 --- /dev/null +++ b/Distroless/distroless-base-nonroot/README.md @@ -0,0 +1,79 @@ +# Quick reference + +- The official distroless-base-nonroot docker image. + +- Maintained by: [openEuler CloudNative SIG](https://gitee.com/openeuler/cloudnative). + +- Where to get help: [openEuler CloudNative SIG](https://gitee.com/openeuler/cloudnative), [openEuler](https://gitee.com/openeuler/community). + +# distroless-base-nonroot | distroless-base +This image is based on the `distroless-base` image, with an added non-root user. +It allows you to run applications as a non-root user by default for improved security. + +The key differences compared to `distroless-base` are as follows: + +1. **Minimal `/etc/passwd` file with the dedicated non-root user**: + - `nonroot` user (custom unprivileged user for running applications) + +2. **Minimal `/etc/group` file with the dedicated non-root group**: + - `nonroot` group (custom unprivileged group) + +# Supported tags and respective Dockerfile links +The tag of each `distroless-base-nonroot` docker image is consist of the version of `glibc` and version of openEuler. The details are as follows + +| Tag | Currently | Architectures | +|----------|-------------|------------------| +|[2.38-oe2403lts](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base/2.38/24.03-lts/Distrofile)| Glibc 4.1.4 on openEuler 24.03-LTS | amd64, arm64 | + +# Usage +Based on the usage of the [distroless-base](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base/README.md), you can specify a non-root user in your image if needed. +``` +# Dockerfile + +FROM openeuler/openeuler:24.03-lts AS build-env +COPY . /app +WORKDIR /app +RUN yum install -y gcc g++ +RUN cc hello.c -o hello + +FROM openeuler/distroless-base-nonroot:2.38-oe2403lts +COPY --from=build-env /app /app +WORKDIR /app +USER nonroot +CMD ["./hello"] +``` + +# Custom user example +In addition to the fixed `nonroot` user, you can also create custom users and groups just like the distroless-base-nonroot image does. + +In the following `Dockerfile`, you can replace `USERNAME`, `UID`, `GROUP`, and `GID` with your desired values: +``` +FROM openeuler/openeuler:24.03-lts AS build-env + +RUN dnf install -y shadow-utils && \ + groupadd -g && \ + useradd -u -g -s /sbin/nologin + +# Build app +RUN ... + +FROM openeuler/distroless-{base/cc/python/...}:{TAG} +COPY --from=build-env /etc/passwd /etc/passwd +COPY --from=build-env /etc/group /etc/group + +# Copy your app from the builder stage +COPY --from=build-env /app /app + +WORKDIR /app +USER +CMD ["./app"] +``` + +**Remark:** + +* The `/etc/passwd` and `/etc/group` files are required because distroless images do not include traditional user/group management tools. +* Make sure the `UID` and `GID` you assign are unprivileged and do not conflict with existing system users or groups. +* The `--chown` flag ensures that file ownership is correctly set in the final image during the copy process. + +# Question and answering +If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images). \ No newline at end of file diff --git a/Distroless/distroless-base/README.md b/Distroless/distroless-base/README.md index 990a885b5cdff815951449d705d6641b81b59c8a..62836b6f54de5f5178cfcfbbedf2c39d19663863 100644 --- a/Distroless/distroless-base/README.md +++ b/Distroless/distroless-base/README.md @@ -39,6 +39,9 @@ COPY --from=build-env /app /app WORKDIR /app CMD ["./hello"] ``` + +# Run Applications as a Non-Root User +For implementation details, refer to the [distroless-base-nonroot documentation](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base-nonroot/README.md). # Question and answering If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images). \ No newline at end of file diff --git a/Distroless/distroless-cc/README.md b/Distroless/distroless-cc/README.md index e435af262042c7955aa906d2cbf9cdbca8283e7e..b9c334d40cd22a15212cf14cd399e3c3cc0984fb 100644 --- a/Distroless/distroless-cc/README.md +++ b/Distroless/distroless-cc/README.md @@ -37,6 +37,8 @@ COPY --from=build-env /app /app WORKDIR /app CMD ["./hello"] ``` - +# Run Applications as a Non-Root User +For implementation details, refer to the [distroless-base-nonroot documentation](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base-nonroot/README.md). + # Question and answering If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images). \ No newline at end of file diff --git a/Distroless/distroless-php/README.md b/Distroless/distroless-php/README.md index 9c7f123ec452bac26039784c491fbfe1178b3946..e58c4b90743c17a3e85ec2490807f7ce9a572262 100644 --- a/Distroless/distroless-php/README.md +++ b/Distroless/distroless-php/README.md @@ -45,6 +45,9 @@ The result is 测试通过: -1 + (-1) = -2 测试通过: 整数溢出检测(捕获异常: add(): Return value must be of type int, float returned) ``` - + +# Run Applications as a Non-Root User +For implementation details, refer to the [distroless-base-nonroot documentation](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base-nonroot/README.md). + # Question and answering If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images). \ No newline at end of file diff --git a/Distroless/distroless-pip/README.md b/Distroless/distroless-pip/README.md index c6bddf687bda5c78dc9dba2e2ee4b7e53af350d9..400bf29fff290ca83ba41d9d4c83022d29fc1ff1 100644 --- a/Distroless/distroless-pip/README.md +++ b/Distroless/distroless-pip/README.md @@ -31,5 +31,8 @@ RUN pip install numpy RUN pip install -r requirements.txt ``` +# Run Applications as a Non-Root User +For implementation details, refer to the [distroless-base-nonroot documentation](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base-nonroot/README.md). + # Question and answering If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images). \ No newline at end of file diff --git a/Distroless/distroless-ruby/README.md b/Distroless/distroless-ruby/README.md index f2e1d239a8ad869688b566c4fe9c9461608d85bc..38c2a86b332420ba81d27b108681f4309f473cc1 100644 --- a/Distroless/distroless-ruby/README.md +++ b/Distroless/distroless-ruby/README.md @@ -36,6 +36,7 @@ COPY . . CMD ["./your-daemon-or-script.rb"] ``` + Put this file in the root of your app, next to the Gemfile. You can then build and run the Ruby image: @@ -44,6 +45,7 @@ $ docker build -t my-ruby-app . $ docker run -it --name my-running-script my-ruby-app ``` + **Generate a Gemfile.lock** The above example Dockerfile expects a Gemfile.lock in your app directory. This docker run will help you generate one. Run it in the root of your app, next to the Gemfile: @@ -54,8 +56,13 @@ $ docker run --rm -v "$PWD":/usr/src/app -w /usr/src/app openeuler/distroless-ru **Run a single Ruby script** For many simple, single file projects, you may find it inconvenient to write a complete Dockerfile. In such cases, you can run a Ruby script by using the Ruby Docker image directly, for [example](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-ruby/): + ``` $ docker run -it --rm $PWD/example:/usr/src/myapp -w /usr/src/myapp openeuler/distroless-ruby:3.2.2-oe2403lts ruby example.rb -``` +``` + +# Run Applications as a Non-Root User +For implementation details, refer to the [distroless-base-nonroot documentation](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base-nonroot/README.md). + # Question and answering If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images). \ No newline at end of file diff --git a/Distroless/distroless-static/README.md b/Distroless/distroless-static/README.md index af98dabe9658953fa2876fc17438b8f3ceb6acef..096a62b538f91a90308ed080febb746d1a6687f7 100644 --- a/Distroless/distroless-static/README.md +++ b/Distroless/distroless-static/README.md @@ -36,6 +36,9 @@ FROM openeuler/distroless-static:1.0.0-oe2403lts COPY --from=build /go/bin/app / CMD ["/app"] ``` + +# Run Applications as a Non-Root User +For implementation details, refer to the [distroless-base-nonroot documentation](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base-nonroot/README.md). # Question and answering If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images). \ No newline at end of file