-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a container exec user as part of the base alpine image #407
Comments
I think you don't need to run as another user, as in a container you're already isolated and have only root permissions to the container and not on the host system. But even if so, I think a user shouldn't be in the base image as use cases for Alpine images vary a lot. |
For as long as I've used Docker containers, the best practice has always been to run production containers as a non-root user. Google
With that threat in mind, and knowing that alpine is broadly used as the base for production images, what do you propose as the preferred standardized solution? If I must choose one of the above, for my part I'd choose option (b), but I prefer to reference the public alpine image in production containers for both convenience and standardization. |
I think it would be helpful to provide a user intended for app execution in the base image. Best practice dictates that production containers should not be deployed using the root user for app execution. Currently this leaves it to each app owner to create an unprivileged user in their app Dockerfile or maintain a base image with the same. My suggestion is to create a system user that app owners leverage knowing that this user is maintained to adhere to best practices in the base image.
I've submitted #408 to serve as a starting point, though I'm not sure that what I've currently put forward is consistent with how this image is typically maintained.
The text was updated successfully, but these errors were encountered: