docker image: switch to a new non-root user when started as root #241
Conversation
arichardson
force-pushed
the
docker-entrypoint
branch
from
8b0188a
to
d23dbee
Compare
|
I believe this should now be correct. |
|
My only concern with merging this is that the initial release tarball (which we know some people are using) failed to check out a tag for cheribuild, so it tracks master and prompts people to update, meaning we can't actually make the cheribuild side of the necessary changes to support this because that will break with people's existing docker images. I don't know how we deal with that though because it'll need breaking at some point, and other changes to cheribuild may stop things working with the release's snapshot of repos before then... |
|
Yes that is unfortunate. However, these dockerfile changes should be backwards compatible since they do nothing when I'll look into a workaround for the release when I actually make the docker commandline change. |
arichardson
force-pushed
the
docker-entrypoint
branch
from
d23dbee
to
50371d2
Compare
Instead of manually adding a matching user with the docker-adduser cheribuild target, this adds an ENTRYPOINT script to the docker image that automatically creates an unprivileged user. The UID/GID/name can be passed using environment variables (-e flag to `docker run`).
Unlike adduser, the low-level useradd program does not have any prompts so works better in a non-interactive context.
arichardson
force-pushed
the
docker-entrypoint
branch
from
50371d2
to
16c6e6a
Compare
Instead of manually adding a matching user with the docker-adduser
cheribuild target, this adds an ENTRYPOINT script to the docker image
that automatically creates an unprivileged user. The UID/GID/name can
be passed using environment variables (-e flag to
docker run).