Non-root user in buildbuddy-app-onprem
kusaeva opened this issue · comments
Hello and thank you for great project!
I have a question: is there a way to use non-root user in buildbuddy-app-onprem docker image?
We have some security requirements, so I just try to do something like:
ARG VERSION
FROM gcr.io/flame-public/buildbuddy-app-onprem:$VERSION
RUN groupadd -r buildbuddy && useradd -r -g buildbuddy -m -d /home/buildbuddy buildbuddy
USER buildbuddy
But got an error:
runc run failed: unable to start container process: exec: "/bin/sh": stat /bin/sh: no such file or directory
No sh in container.
Is there a way to resolve this somehow?
Thank you anyway!
Our image is based on gcr.io/distroless/cc-debian11 which does not include a shell by default.
You could do something like this
FROM busybox
FROM <buildbuddy-image>
COPY --from=0 /bin/ /bin/
which would add busybox to the final image as a shell.
Son's suggestion is great especially if you already have a Dockerfile and/or want to add other things to the docker image.
If all you want to do is run our image as non-root, you can alternatively just specify a non-root numeric user ID and group ID:
docker run --rm --user=1000:1000 gcr.io/flame-public/buildbuddy-app-onprem
BuildBuddy does not depend on $USER or $HOME (as far as I'm aware!) so a numeric uid/gid should be fine (no need to create a named user or provision a home directory). The advantage to this approach is that you preserve the distroless image, which has a reduced attack surface.
In kubernetes, this would be configured using securityContext:
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000