RunAs unprivileged user

[vic3lord]

Is there a plan to support a non-root user inside base?

[mariusgrigoriu]

I believe it is already supported in the sense that you can run a Distroless-based image as some other user. Is your question that the image should default to a non-root user? If yes, then which UID is safe on all systems?

[vic3lord]

@mariusgrigoriu yes, I meant as a default value. I think something above 1000 is safe, unless there's something I am missing.

[mariusgrigoriu]

I've seen user accounts in the 5000s for GKE/COS. Other systems and their admins may decide on other UID ranges. Seems like a base image should be able to operate under any UID according to the sys admin's preferences.

[dlorenc]

I don't think we'll be changing the default of this from 0. Most other official images use 0, and it's easily overrideable in the runtime or in a base image.

[chanseokoh]

Opening for discussion from #306.

Most other official images use 0,

I had a similar argument, but @HazCod's argument was that those images keep the root mainly due to the existence of a package manager, which doesn't apply to Distroless.

In any case, if we do this, not sure if nobody would be a good fit, considering its nature. (Also nobody's home would be set to /nonexistent), so we may need to add a proper new user?

[briandealwis]

I'll add that we recommend avoiding running as root in our Best Practices for Operating Containers.

My only argument against using nobody is that the container user should have a home directory so that there's a place for dotfiles (e.g., ~/.docker/config.json) to be installed.

[mattmoor]

I'd love to see us at a minimum publish :nonroot images, which consuming projects (e.g. ko, jib, bazel) can opt over to case-by-case.

cc @jonjohnsonjr Can you TAL?

[jonjohnsonjr]

The disastrous python2 -> python3 migration may be our industry's greatest blunder.

[pmorie]

I second @mattmoor's statements. Specific use case for me is publishing knative images that don't take root privs. Currently it appears that ko will have to inherit this from the base image.

[chanseokoh]

FTR, now the images have a user and a group all named "nonroot".

/etc/passwd content:

root:x:0:0:root:/root:/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/sbin/nologin
nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin

/etc/group content:

root:x:0:
nobody:x:65534:
tty:x:5:
staff:x:50:
nonroot:x:65532:

[loosebazooka]

This doesn't apply to the language builds yet, does it?

[chanseokoh]

@loosebazooka all the images have the nonroot user and group. By default, all the images without the tag :nonroot run as root as usual. It is just that only the images with the :nonroot tag run as the nonroot user by default. And so far, only a small number of repositories introduced the :nonroot tag.