Requirements for deploying a container image
To deploy a container image to the Cloud Platform, you must ensure your container image:
- is Linux-based, because we don’t support Windows-based images
- runs a stateless and disposable application, because we restart containers frequently
- runs as a non-root user, because we don’t allow containers to use root access for security reasons
- runs on an unprivileged port (your image should expose a port over
1024
, e.g8080
)
You must also keep your container image up to date and secure by default.
Running a container image as a non-root user
Some Docker images may already have a non-root variant. For example, if you’re running
nginx
, you can use the officialnginx-unprivileged
image instead.
Typically, you can adapt your Dockerfile
to run as a non-root user by:
- creating a non-root user in your
Dockerfile
- setting the
USER
instruction to use the non-root user when running your image
As each team and application can use a different base image, this minimal example shows you how to run an alpine
/busybox
base image as a non-root user.
FROM alpine:3.18
# Build your service here, which can use root privileges (e.g. sudo)
# At the end of your build, create and switch to a non-root user
# This will create a non-root user with the UID of 1001
RUN adduser -D nonroot -u 1001
# You must use a UID, not a username, here
USER 1001
If you need help to run your container as a non-root user, please speak to your team or consult the image vendor’s documentation.
This page was last reviewed on 4 June 2023.
It needs to be reviewed again on 4 June 2024
by the page owner #cloud-platform
.
This page was set to be reviewed before 4 June 2024
by the page owner #cloud-platform.
This might mean the content is out of date.