How does distroless nonroot work?

[Dennis Boettcher]

Good morning,

I tried to find the answer to my question online but wasn't successful. I hope you can help me.

I'm just looking for an explanation for how the distroless nonroot Java images work. Do they simply contain a "normal" user called nonroot additionally to the root user which I can use in my image or is there no root user at all and only the nonroot one and I don't have to do anything when building my custom image?

If there is an overview of the image types with a description (e.g. also for the debug ones), that would be great.

Thanks

Dennis

[Dennis Boettcher]

I noticed that when I build an image using the jib-maven-plugin without specifying a user in its config using the image gcr.io/distroless.java17-debian11:nonroot, I get "Config.User: 65532" and "Config.WorkingDir: /home/nonroot".

When using the image gcr.io/distroless.java17-debian11:latest I get "Config.User: 0" and "Config.WorkingDir: /". So this looks like I don't have to do anything special for the build but the "nonroot" base image will make sure that the container doesn't run as root. Is my conclusion correct?

[Evan Jones]

That is correct. The "nonroot" images are configured to default to executing as a normal user account called "nonroot", with user ID 65532. That is the only difference. All the images contain configuration for the user accounts root, nobody, and nonroot.

Hope that helps,

Evan

--
You received this message because you are subscribed to the Google Groups "Distroless Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to distroless-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/distroless-users/33b0af1d-e359-40fc-9f79-485c7768754fn%40googlegroups.com.

--

Evan Jones
https://www.evanjones.ca/

[Dennis Boettcher]

Cool, thank you for the quick response. Have a great rest of the week and a nice new years eve.