Postgres, mariadb, mysql don't use USER. Supposedly official images are reviewed for adherence to the best practices document, which requires USER where possible. Why?
Fundamentally, USER is not possible in official images. It conflicts with the requirement that "A beginning user should be able to docker run official-image bash
without needing to learn about --entrypoint". If you don't have root, you can't edit config files, install packages like strace... or particularly, fixup UIDs in volumes. Realistically, the official image style is considered (a) best practice. (So the Docker userguide should put the emphasis on running daemons as non-root and less on USER specifically)
IMO this is a problem. The popular examples you can learn from don't show the need to set fixed UIDs. Otherwise if you update with a base image that adds another user, you'll have to intervene manually. The Best Practices say you should consider setting fixed UIDs, but they don't even show an example of it. So prominent examples of simple Dockerfiles that use USER aren't setting fixed UIDs. The official images don't set fixed UIDs either - pretending like this isn't a problem - but then brute-force data volumes with chown
, because their entrypoint scripts run as root. Not very impressive.
Technically, the official Dockerfiles could be fixed by adding even more chown
and UID swapping to the Dockerfile, but that seems undesirable.
I suppose the other alternative would be a path-dependent update. That is, keep the chown
around until everyone's done their automatic updates to fixed UIDs (a couple of months?), and then drop it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With