Using unprivileged users

[jaxxstorm]

I'm trying to modify a docker image using the distroless base image. I added a USER directive to run as the binary, and as expected the run CMD failed due to the user not existing.

According to #235 it should be easy to override, but adding the user isn't actually possible because you can't RUN anything because of the lack of a shell.

How should one add another user here?

[chanseokoh]

On Linux, you would normally use useradd and groupadd (e.g., like this), but of course, distroless doesn't have them, not to mention a shell.

I believe all you need is to have the right entry in /etc/passwd (and /etc/group if applicable), so I guess you can supply a custom passwd file.

[jaxxstorm]

Yeah makes sense, thanks

[chanseokoh]

Oh, I forgot to say this. If it is fine to use a uid (i.e., number) and you don't have to use a name (like myname), you don't necessarily have to add a user, for example, if all you want is to run your application inside the container as a non-root.