This image is based on arm32v6/alpine.
This image contains :
- Alpine Linux provided by the base image.
- QEmu to allow the build and run of the images in x86 system (especially Travis CI)
- Tini to properly manage the processes (Tini spawns a single child and wait for it to exit all the while reaping zombies and performing signal forwarding).
- su-exec to properly manage users permissions inside the image (see below).
- Bash because I use it in my scripts.
This image sets :
- The main and community repositories for APK (needed for su-exec).
- The CET Timezone (to have the same timestamps inside and outside the container).
- A custom script as Entrypoint to manage the users (see below).
Use this image as the base for your own images.
To manage the user who runs the processes inside the image, you have 3 choices:
- Do nothing, in this case the whole image is run as ROOT, its easier but not good for security reasons.
- Set USER property in your Dockerfile (as explained in Docker docs to run the whole image with that user). However, if you share data outside the container, this does not allow to have the right ownership for this data.
- Set the
RUN_ASenvironment variable on startup (either with
docker run -e RUN_AS=1234:5678or with the
environmentkey in your compose file). In that case, the image is built with root privileges and only the main process is run as a non-priviledged user (for security reasons). The form of the
RUN_ASvariable must be
UID:GIDof the user.
If you need to do specific things in the entrypoint (for example to initialize data before running the main process), write a shell script in
/usr/sbin/docker-entrypoint-pre.sh and it will be executed at first in the entrypoint script.
If you set the
RUN_AS environment variable, the program will not be allowed to upgrade itself and you will have to manually upgrade it (either by rebuilding the image or by using the
docker exec command (which do not use the entrypoint script and therefore is run as ROOT)).