Skip to main content

Requirements for deploying a container image

To deploy a container image to the Cloud Platform, you must ensure your container image:

  • is Linux-based, because we don’t support Windows-based images
  • runs a stateless and disposable application, because we restart containers frequently
  • runs as a non-root user, because we don’t allow containers to use root access for security reasons
  • runs on an unprivileged port (your image should expose a port over 1024, e.g 8080)

You must also keep your container image up to date and secure by default.

Running a container image as a non-root user

Some Docker images may already have a non-root variant. For example, if you’re running nginx, you can use the official nginx-unprivileged image instead.

Typically, you can adapt your Dockerfile to run as a non-root user by:

  1. creating a non-root user in your Dockerfile
  2. setting the USER instruction to use the non-root user when running your image

As each team and application can use a different base image, this minimal example shows you how to run an alpine/busybox base image as a non-root user.

FROM alpine:3.18

# Build your service here, which can use root privileges (e.g. sudo)
# At the end of your build, create and switch to a non-root user

# This will create a non-root user with the UID of 1001
RUN adduser -D nonroot -u 1001

# You must use a UID, not a username, here
USER 1001

If you need help to run your container as a non-root user, please speak to your team or consult the image vendor’s documentation.

This page was last reviewed on 4 June 2023. It needs to be reviewed again on 4 June 2024 by the page owner #cloud-platform .
This page was set to be reviewed before 4 June 2024 by the page owner #cloud-platform. This might mean the content is out of date.