My concern is that the home directory of nobody is pointing to /nonexistent. I think a non-root user (other than nobody) has to have a proper home. A lot of applications depend on the existence of a home directory.

Would it need to be an actual user instead of nobody? Perhaps nonroot with an actual home directory?

cc @sharifelgamal This is what I was asking for at Kubecon! thanks @dprotaso

cc @loosebazooka may want these for Jib as well.

I added a home directory for the 'nobody' user (/home/nobody). I changed the root user's home directory to /root

I noticed running tests don't work on Mac

+ base/certs_test.image --norun
Loaded image ID: sha256:101cd50a552664199d987a2506fd3bcfecc301019c462adc1a4c98eab217309f
Tagging 101cd50a552664199d987a2506fd3bcfecc301019c462adc1a4c98eab217309f as basecheck_certs_image:intermediate
+ ../structure_test_linux/file/downloaded version
/private/var/tmp/_bazel_dprotasowski/d4d2a8e3e6c0766b8b5af3d4f8a07ed0/sandbox/darwin-sandbox/84/execroot/distroless/bazel-out/k8-fastbuild/bin/base/certs_test.runfiles/distroless/base/certs_test: line 7: ../structure_test_linux/file/downloaded: cannot execute binary file

@dprotaso run with --cpu=darwin

Provocative question: why don't we make all images be non-root? Is there any reason to have root-based images?

I'm still not sure if we should reuse nobody for this non-root user. I would expect nobody to have no file ownership. It seems odd to diverge from this convention.

@loosebazooka what was the original purpose of the 'nobody' user?

AFAICT, it is sometimes advised to run some processes as nobody, but I do not think it is for running any general applications. Besides, I think there is no reason to be obsessed with nobody here. You can always create and use a proper user for non-root purposes.

@dprotaso mostly just historical context. People used it to isolate daemons, but then moved off that to other daemon-specific low-privilege users to isolate the daemons from eachother.

I can't really speak to how users are using it now though in distroless, as it doesn't seem like anyone has ever needed a home directory for nobody. I think the convention of nobody has been for it to be the lowest of low privileged users though, without the ability to write to anything (how did they write logs?).

Maybe I'm being too pedantic about the purpose of nobody and this implementation is fine?

Sorry, I think I may have misunderstood the question: other context: nobody was added in #335 because of #332, and I do not have enough context but @thockin might have something to add here.

So outstanding questions for me:

Which user/group do folks want to be default in non-root images

1. nobody user with a home directory
2. nonroot with their own home directory (will use uid:gid 65533 - one lower than nobody)

Note the /root home directory changes with both - I'm unaware if this haves any effects downstream.

Image tags

How should we reference/upload non-root images to/from a registry. We can tweak tags or repo path. My preference is for change the repo path

ie. currently we have

gcr.io/distroless/static
gcr.io/distroless/base
gcr.io/distroless/base:debug

becomes (need to update the PR once consensus is made)

gcr.io/distroless/nonroot/static
gcr.io/distroless/nonroot/base
gcr.io/distroless/nonroot/base:debug

It seems sad to make the less secure option the default. I imagine the concern here is breaking existing users so I'm wondering if we have other options.

nonroot with their own home directory (will use uid:gid 65533 - one lower than nobody

Others may have different opinions, but I prefer this. The home of nobody is currently /nonexistent, and nobody should mean "nobody", not a real user. I don't really like breaking the convention by having a usable home directory for it. And as I said, I think there is no reason to be obsessed with nobody.

For the uid:gid, I vote for 65432 for safety. I think 65533 has an increased chance of collision than 65432 (just like you picked it) and is too close to 65535.

Note the /root home directory changes with both - I'm unaware if this haves any effects downstream.

We could have /nonroot as a home directory for the new user instead of /home/nonroot to keep backward compatibility, but I'm not sure if that's a good idea either.

@patflynn making nonroot the default would immediately break anyone depending on it (and there are some niche cases that need it today). If we were starting from scratch (no pun intended), armed with the knowledge we have now, then this would be the default.

IMO we should use tags to distinguish these, not repos. :root (same as :latest), and :nonroot (this PR). For :debug and :nonroot, I'd just pick a blending: :nonrootdebug.

If we get these published, and folks (ko, bazel, jib, kubernetes, ...) adopt the explicit tagging by default, then we can see if :latest is still being pulled in a few months and flip the default.

cc @tallclair @lizrice will be interested in this thread as well

I love that you’re doing this!

+1 to @chanseokoh’s comment preferring a real user rather than nobody. It feels wrong to have a home directory for the nobody account; and in the limited occasions where people deliberately use the nobody account they might even be relying on there not being a home for it.

I think for back-compatibility you're right to keep the :latest tag, but you could document it prominently as deprecated to encourage people to use the :root and :nonroot tags

I think we might still need to decide if we want to move user:root's home dir to /root ?

@mattmoor: If we get these published, and folks (ko, bazel, jib, kubernetes, ...) adopt the explicit tagging by default, then we can see if :latest is still being pulled in a few months and flip the default.

Would it be worth setting up an distroless-announce@ mailing list? Whether we change the default now or in several months, it's still going to break anybody depending on root who isn't aware of the change.

@briandealwis I wasn't suggesting that we shouldn't socialize the transition, we should, but it probably makes sense to get any known things onto explicit tags first.

I'd love to get this in. @dprotaso ping me if you need anything.

@mattmoor, any idea what to do with the user-home dir? do we expect users to explicitly be referencing user home instead of through the env?

@loosebazooka There's no place like $HOME

Unless you are one of those %USERPROFILE% types 🙄

Once this PR goes in how long will it take for the images to be available? I'm monitoring this change because we'd like to use distroless with a PodSecurityPolicy with

runAsUser:
    # Require the container to run without root privileges.
    rule: 'MustRunAsNonRoot'

@sharifelgamal ^^

@donmccasland maybe?

Sorry for the delay, no idea how this fell off my radar.

These should be live in 15 minutes or so.

@sharifelgamal thanks!