nobody & nonroot user in distroless images

Question

Distroless images comes with 3 users :

> docker run --rm --entrypoint cat gcr.io/distroless/nodejs:debug /etc/passwd
root:x:0:0:root:/root:/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/sbin/nologin
nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin

If you run the image without a USER instruction in your Dockerfile the image runs as uid=0(root) gid=0(root).

I would like to avoid this and use an unprivileged user.

Other than nobody not having a /home directory, what is the difference between using USER nobody and USER nonroot in my Dockerfile ?

Answer 1

There are 2 type of distroless images which can be used in production:

with latest tag
This image say, gcr.io/distroless/base by default has "Config.User: 0" and "Config.WorkingDir: /" config in it and if you don't use USER for switching the user to nonroot user which is defined in it or it will start container with root user.

with nonroot tag
This image say, gcr.io/distroless/base:nonroot by default has "Config.User: 65532" and "Config.WorkingDir: /home/nonroot" config in it and there is no need to use USER for changing user to non-root user.
PS: maybe you need to change ownership of copied files in multistage build to nonroot user.

nobody user
purpose of nobody user in not related to distroless images and it's about Linux itself which described here very well

Answer 2

The best practice seems to be using nonroot user.

references :

• https://github.com/GoogleContainerTools/distroless/issues/332
• https://wiki.ubuntu.com/nobody