From 67359084aa2fdc8d48a40f20bf511cb2d5084dbb Mon Sep 17 00:00:00 2001
From: GuangJie1 <guangjiebai@gmail.com>
Date: Thu, 26 Jun 2025 17:43:59 +0800
Subject: [PATCH] add distroless-nonroot readme

update non-root dockerfile
---
 .../2.38/24.03-lts/Dockerfile                 | 25 ++----
 Distroless/distroless-base-nonroot/README.md  | 79 +++++++++++++++++++
 Distroless/distroless-base/README.md          |  3 +
 Distroless/distroless-cc/README.md            |  4 +-
 Distroless/distroless-php/README.md           |  5 +-
 Distroless/distroless-pip/README.md           |  3 +
 Distroless/distroless-ruby/README.md          |  9 ++-
 Distroless/distroless-static/README.md        |  3 +
 8 files changed, 109 insertions(+), 22 deletions(-)
 create mode 100644 Distroless/distroless-base-nonroot/README.md

diff --git a/Distroless/distroless-base-nonroot/2.38/24.03-lts/Dockerfile b/Distroless/distroless-base-nonroot/2.38/24.03-lts/Dockerfile
index 8c395293..1c7ea77a 100644
--- a/Distroless/distroless-base-nonroot/2.38/24.03-lts/Dockerfile
+++ b/Distroless/distroless-base-nonroot/2.38/24.03-lts/Dockerfile
@@ -1,26 +1,13 @@
 ARG BASE=openeuler/openeuler:24.03-lts
 FROM ${BASE} as builder
 
-WORKDIR /tmp
-
-RUN echo "root:x:0:0:root:/root:/sbin/nologin" > passwd && \
-    echo "nobody:x:65534:65534:nobody:/nonexistent:/sbin/nologin" >> passwd && \
-    echo "nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin" >> passwd
-
-RUN echo "root:x:0:" > group && \
-    echo "nobody:x:65534:" >> group && \
-    echo "tty:x:5:" >> group && \
-    echo "staff:x:50:" >> group && \
-    echo "nonroot:x:65532:" >> group
-
-RUN mkdir -p /home/nonroot && \
-    chmod 700 /home/nonroot
+RUN dnf install -y shadow-utils && \
+    groupadd -g 65532 nonroot && \
+    useradd -u 65532 -g 65532 -s /sbin/nologin nonroot
 
 FROM openeuler/distroless-base:2.38-oe2403lts
 
-COPY --from=builder /tmp/passwd /etc/passwd
-COPY --from=builder /tmp/group /etc/group
-COPY --from=builder --chown=nonroot:nonroot /home/nonroot /home/nonroot
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
 
-USER nonroot
-WORKDIR /home/nonroot
\ No newline at end of file
+USER nonroot
\ No newline at end of file
diff --git a/Distroless/distroless-base-nonroot/README.md b/Distroless/distroless-base-nonroot/README.md
new file mode 100644
index 00000000..d8d78550
--- /dev/null
+++ b/Distroless/distroless-base-nonroot/README.md
@@ -0,0 +1,79 @@
+# Quick reference
+
+- The official distroless-base-nonroot docker image.
+
+- Maintained by: [openEuler CloudNative SIG](https://gitee.com/openeuler/cloudnative).
+
+- Where to get help: [openEuler CloudNative SIG](https://gitee.com/openeuler/cloudnative), [openEuler](https://gitee.com/openeuler/community).
+
+# distroless-base-nonroot | distroless-base
+This image is based on the `distroless-base` image, with an added non-root user.  
+It allows you to run applications as a non-root user by default for improved security.
+
+The key differences compared to `distroless-base` are as follows:
+
+1. **Minimal `/etc/passwd` file with the dedicated non-root user**:
+   - `nonroot` user (custom unprivileged user for running applications)
+
+2. **Minimal `/etc/group` file with the dedicated non-root group**:
+   - `nonroot` group (custom unprivileged group)
+
+# Supported tags and respective Dockerfile links
+The tag of each `distroless-base-nonroot` docker image is consist of the version of `glibc` and version of openEuler. The details are as follows
+
+|    Tag   |  Currently  |   Architectures  |
+|----------|-------------|------------------|
+|[2.38-oe2403lts](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base/2.38/24.03-lts/Distrofile)| Glibc 4.1.4 on openEuler 24.03-LTS | amd64, arm64 |
+
+# Usage
+Based on the usage of the [distroless-base](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base/README.md), you can specify a non-root user in your image if needed.
+```
+# Dockerfile
+
+FROM openeuler/openeuler:24.03-lts AS build-env
+COPY . /app
+WORKDIR /app
+RUN yum install -y gcc g++
+RUN cc hello.c -o hello
+
+FROM openeuler/distroless-base-nonroot:2.38-oe2403lts
+COPY --from=build-env /app /app
+WORKDIR /app
+USER nonroot
+CMD ["./hello"]
+```
+
+# Custom user example
+In addition to the fixed `nonroot` user, you can also create custom users and groups just like the distroless-base-nonroot image does.
+
+In the following `Dockerfile`, you can replace `USERNAME`, `UID`, `GROUP`, and `GID` with your desired values:
+```
+FROM openeuler/openeuler:24.03-lts AS build-env
+
+RUN dnf install -y shadow-utils && \
+    groupadd -g <GID> <GROUP> && \
+    useradd -u <UID> -g <GID> -s /sbin/nologin <USERNAME>
+
+# Build app
+RUN ...
+
+FROM openeuler/distroless-{base/cc/python/...}:{TAG}
+COPY --from=build-env /etc/passwd /etc/passwd
+COPY --from=build-env /etc/group /etc/group
+
+# Copy your app from the builder stage
+COPY --from=build-env /app /app
+
+WORKDIR /app
+USER <USERNAME>
+CMD ["./app"]
+```
+
+**Remark:**
+
+* The `/etc/passwd` and `/etc/group` files are required because distroless images do not include traditional user/group management tools.
+* Make sure the `UID` and `GID` you assign are unprivileged and do not conflict with existing system users or groups.
+* The `--chown` flag ensures that file ownership is correctly set in the final image during the copy process.
+
+# Question and answering
+If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images).
\ No newline at end of file
diff --git a/Distroless/distroless-base/README.md b/Distroless/distroless-base/README.md
index 990a885b..62836b6f 100644
--- a/Distroless/distroless-base/README.md
+++ b/Distroless/distroless-base/README.md
@@ -39,6 +39,9 @@ COPY --from=build-env /app /app
 WORKDIR /app
 CMD ["./hello"]
 ```
+
+# Run Applications as a Non-Root User
+For implementation details, refer to the [distroless-base-nonroot documentation](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base-nonroot/README.md).
 	
 # Question and answering
 If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images).
\ No newline at end of file
diff --git a/Distroless/distroless-cc/README.md b/Distroless/distroless-cc/README.md
index e435af26..b9c334d4 100644
--- a/Distroless/distroless-cc/README.md
+++ b/Distroless/distroless-cc/README.md
@@ -37,6 +37,8 @@ COPY --from=build-env /app /app
 WORKDIR /app
 CMD ["./hello"]
 ```
-	
+# Run Applications as a Non-Root User
+For implementation details, refer to the [distroless-base-nonroot documentation](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base-nonroot/README.md).
+
 # Question and answering
 If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images).
\ No newline at end of file
diff --git a/Distroless/distroless-php/README.md b/Distroless/distroless-php/README.md
index 9c7f123e..e58c4b90 100644
--- a/Distroless/distroless-php/README.md
+++ b/Distroless/distroless-php/README.md
@@ -45,6 +45,9 @@ The result is
 测试通过: -1 + (-1) = -2
 测试通过: 整数溢出检测（捕获异常: add(): Return value must be of type int, float returned）
 ```
-	
+
+# Run Applications as a Non-Root User
+For implementation details, refer to the [distroless-base-nonroot documentation](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base-nonroot/README.md).
+
 # Question and answering
 If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images).
\ No newline at end of file
diff --git a/Distroless/distroless-pip/README.md b/Distroless/distroless-pip/README.md
index c6bddf68..400bf29f 100644
--- a/Distroless/distroless-pip/README.md
+++ b/Distroless/distroless-pip/README.md
@@ -31,5 +31,8 @@ RUN pip install numpy
 RUN pip install -r requirements.txt
 ```
 
+# Run Applications as a Non-Root User
+For implementation details, refer to the [distroless-base-nonroot documentation](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base-nonroot/README.md).
+
 # Question and answering
 If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images).
\ No newline at end of file
diff --git a/Distroless/distroless-ruby/README.md b/Distroless/distroless-ruby/README.md
index f2e1d239..38c2a86b 100644
--- a/Distroless/distroless-ruby/README.md
+++ b/Distroless/distroless-ruby/README.md
@@ -36,6 +36,7 @@ COPY . .
 
 CMD ["./your-daemon-or-script.rb"]
 ```
+
 Put this file in the root of your app, next to the Gemfile.
 
 You can then build and run the Ruby image:
@@ -44,6 +45,7 @@ $ docker build -t my-ruby-app .
 $ docker run -it --name my-running-script my-ruby-app
 ```
 
+
 **Generate a Gemfile.lock**
 
 The above example Dockerfile expects a Gemfile.lock in your app directory. This docker run will help you generate one. Run it in the root of your app, next to the Gemfile:
@@ -54,8 +56,13 @@ $ docker run --rm -v "$PWD":/usr/src/app -w /usr/src/app openeuler/distroless-ru
 **Run a single Ruby script**
 
 For many simple, single file projects, you may find it inconvenient to write a complete Dockerfile. In such cases, you can run a Ruby script by using the Ruby Docker image directly, for [example](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-ruby/):
+
 ```
 $ docker run -it --rm $PWD/example:/usr/src/myapp -w /usr/src/myapp openeuler/distroless-ruby:3.2.2-oe2403lts ruby example.rb
-```	
+```
+
+# Run Applications as a Non-Root User
+For implementation details, refer to the [distroless-base-nonroot documentation](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base-nonroot/README.md).
+
 # Question and answering
 If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images).
\ No newline at end of file
diff --git a/Distroless/distroless-static/README.md b/Distroless/distroless-static/README.md
index af98dabe..096a62b5 100644
--- a/Distroless/distroless-static/README.md
+++ b/Distroless/distroless-static/README.md
@@ -36,6 +36,9 @@ FROM openeuler/distroless-static:1.0.0-oe2403lts
 COPY --from=build /go/bin/app /
 CMD ["/app"]
 ```
+
+# Run Applications as a Non-Root User
+For implementation details, refer to the [distroless-base-nonroot documentation](https://gitee.com/openeuler/openeuler-docker-images/blob/master/Distroless/distroless-base-nonroot/README.md).
 	
 # Question and answering
 If you have any questions or want to use some special features, please submit an issue or a pull request on [openeuler-docker-images](https://gitee.com/openeuler/openeuler-docker-images).
\ No newline at end of file
-- 
Gitee