USER 1001 in Dockerfile

[Luca Masini]

Hi all, recently the standard Dockerfile.jvm has been modified with the usage of the user 1001.

But OpenShift experts inside the company says that this is not a good practice because OpenShift generates randomly the users.

Also Kaniko during image generation complaints about this non existing users during chown.

I would like to understand why this user was added to the Dockerfile so that I can talk with my "experts" and tell them why we need that.

Thanks.

[Max Andersen]

That definitely sounds wrong. I can’t check atm but very curious why too :)

/max

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/076ab3a3-8ce3-48da-b2f2-88bf63be4bbcn%40googlegroups.com.

[Max Rydahl Andersen]

On 24 Mar 2021, at 10:33, Luca Masini wrote:

> Hi all, recently the standard Dockerfile.jvm has been modified with
> the
> usage of the user 1001.

so looking into this wasn't recent. I see traces back as far as 2 years
for this.

including commits like
https://github.com/quarkusio/quarkus/commit/9c94c629c63f0be0c4e23bbd28d5ab34b24af3bd
ensuring it works in openshift.

so as far as I can see its always been there but I like you want to
grok why its okey at this part :)

/max

>
> But OpenShift experts inside the company says that this is not a good
> practice because OpenShift generates randomly the users.
>
> Also Kaniko during image generation complaints about this non existing
> users during chown.
>
> I would like to understand why this user was added to the Dockerfile
> so
> that I can talk with my "experts" and tell them why we need that.
>
> Thanks.
>

> --
> You received this message because you are subscribed to the Google
> Groups "Quarkus Development mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to quarkus-dev...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/quarkus-dev/076ab3a3-8ce3-48da-b2f2-88bf63be4bbcn%40googlegroups.com.

/max
https://xam.dk/about

[Luca Masini]

Yessss, may be I never noticed that 1001 until an infrastructure's colleague told me that we should not bind that into the Dockerfile, OpenShift will randomize the user for us.

--

****************************************
http://www.lucamasini.net
http://twitter.com/lmasini
http://www.linkedin.com/pub/luca-masini/7/10/2b9
****************************************

[Erin Schnabel]

so. Those docker images are used by things other than OpenShift, right?

We want these images to not run as root because that's a best practice with or without openshift.

Defining a user is not a problem. OpenShift will assign a random user (still, anyway.. ).

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAG%3D-wFM-rg-6q5e7e8-kH2usSY8VfRyDnZdCh-S6cQeLLRC3kw%40mail.gmail.com.

[Luca Masini]

Well, the Dockefile generated by the quarkus.io site is generic and not targeted at OpenShift.

But the important one is that OpenShift will not use the user that is defined inside the Dockerfile but instead assign a new one.

That's great.