6.2.Docker as NonRoot
This time we configure a non-root user in the Dockerfile to build a container image that will run using without the root user.
Regarding the group-id (gid) and user-id (uid) you should use one above '1000' to avoid using any system user. If you want to be really on the safe side you even leave out all local users (reserved numbers up to 10000) by chosing a number above '10000' (reserved for remote users).
You can prove that the container now does not run with root any more by using these commands:
This should return the following user information (it should not be root any more)
But this time instead of using a Dockerfile we will use Google JIB to build the container image.
Using JIB has the following advantages compared to classical image creation using Dockerfile:
With JIB you even can build a container image without a docker daemon installed on your machine.
Building images repeatedly is much faster as JIB optimizes this to the typical development flow (i.e. the application code changes much more frequently then dependencies).
JIB uses the Google Distroless Base Images that only include the minimum components just to execute the desired process (e.g. Go or Java)
JIB works by using adding a plugin to your maven or gradle build. So here we add the plugin to our gradle build and also configure a non-root user in the gradle.build file to build a container image that will run using without the root user.
You can prove this by using these commands:
This time this should report an error as in the distroless image, as used by JIB as default, there even is no shell installed and so no whoami command is possible.
You should also be able to reach the dockerized application again via localhost:8080.
Finally stop the running container by using the following command:
Check image for Vulnerabilities
Now we can check our image for vulnerabilities with high and critical severities using this command:
Next
Last updated