Skip to main content

Requirements for deploying a container image

To deploy a container image to the Cloud Platform, you must ensure your container image:

  • is Linux-based, because we don’t support Windows-based images
  • runs a stateless and disposable application, because we restart containers frequently
  • runs as a non-root user, because we don’t allow containers to use root access for security reasons
  • runs on an unprivileged port (your image should expose a port over 1024, e.g 8080)

You must also keep your container image up to date and secure by default.

Running a container image as a non-root user

Some Docker images may already have a non-root variant. For example, if you’re running nginx, you can use the official nginx-unprivileged image instead.

Typically, you can adapt your Dockerfile to run as a non-root user by:

  1. creating a non-root user in your Dockerfile
  2. setting the USER instruction to use the non-root user when running your image

As each team and application can use a different base image, this minimal example shows you how to run an alpine/busybox base image as a non-root user.

FROM alpine:3.18

# Build your service here, which can use root privileges (e.g. sudo)
# At the end of your build, create and switch to a non-root user

# This will create a non-root user with the UID of 1001
RUN adduser -D nonroot -u 1001

# You must use a UID, not a username, here
USER 1001

If you need help to run your container as a non-root user, please speak to your team or consult the image vendor’s documentation.

This page was last reviewed on 16 January 2024. It needs to be reviewed again on 16 January 2025 by the page owner #cloud-platform .
This page was set to be reviewed before 16 January 2025 by the page owner #cloud-platform. This might mean the content is out of date.