> For the complete documentation index, see [llms.txt](https://andifalk.gitbook.io/secure-kubernetes-development/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://andifalk.gitbook.io/secure-kubernetes-development/container-security/step3-hello-rootless.md). # Rootless Container This demo builds an improved docker image from the demo application just using a standard *Dockerfile*. For details on the demo application see [hello spring boot application](/secure-kubernetes-development/application-security/step1-hello-spring-boot.md). This time we configure a non-root user in the *Dockerfile* to build a container image that will run using without the root user. ```dockerfile FROM bellsoft/liberica-openjre-debian:17.0.5-8 COPY step3-hello-rootless-1.0.0-SNAPSHOT.jar app.jar EXPOSE 8080 RUN addgroup --system --gid 1002 app && adduser --system --uid 1002 --gid 1002 appuser USER 1002 ENTRYPOINT java -jar /app.jar ``` Regarding the group-id (gid) and user-id (uid) you should use one above '1000' to avoid using any system user. If you want to be really on the safe side you even leave out all local users (reserved numbers up to 10000) by choosing a number above '10000' (reserved for remote users). You can prove that the container now does not run with root any more by using these commands: ```shell docker container run --rm --detach --name hello-rootless \ -p 8080:8080 andifalk/hello-rootless:latest-arm64 docker exec hello-rootless whoami ``` This should return the following user information (it should not be root anymore) ```shell appuser ``` To prevent any privilege escalation it is also best practice restricting this by the additional command option *--security-opt=no-new-privileges* for *docker run*: ```shell docker container run --security-opt=no-new-privileges --rm --detach --name hello-rootless \ -p 8080:8080 andifalk/hello-rootless:latest-arm64 ``` You should also be able to reach the dockerized application via [localhost:8080](http://localhost:8080). Finally, stop the running container by using the following command: ```shell docker stop hello-rootless ``` ## Check image for Vulnerabilities Now we can check our image for vulnerabilities with high and critical severities using this command: ```shell trivy clean --scan-cache trivy image --severity HIGH,CRITICAL andifalk/hello-rootless:latest-arm64 ``` ## Next [Next: Rootless JIB Container](/secure-kubernetes-development/container-security/step4-hello-rootless-jib.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://andifalk.gitbook.io/secure-kubernetes-development/container-security/step3-hello-rootless.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.