specify non-root user in Dockerfile

[pkoutsovasilis]

Summary

Specify a non-root user (UID 1000) in the Dockerfile to improve security and compatibility with Kubernetes security contexts.

Motivation

The current Dockerfile runs as root (UID 0) by default, which:

• Conflicts with RunAsNonRoot: true security contexts in Kubernetes
• Requires explicit runAsUser overrides in pod specifications
• Is generally discouraged as a security best practice

Changes

• Added USER 1000 directive before the ENTRYPOINT to run the package-registry process as a non-root user

Benefits

• Kubernetes: Eliminates the need to explicitly set runAsUser in pod specs when using RunAsNonRoot: true
• OpenShift: Works seamlessly with the default restricted SCC, which automatically remaps the UID to the namespace's allocated range
• Security: Follows the principle of least privilege by not running as root

[prodsecmachine]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[jsoriano]

This change is backwards compatible as container orchestrators can still override the user if needed.

Could this be breaking if the user is running the registry with local packages? https://github.com/elastic/package-registry?tab=readme-ov-file#docker

[pkoutsovasilis]

Could this be breaking if the user is running the registry with local packages? https://github.com/elastic/package-registry?tab=readme-ov-file#docker

how do you mean that @jsoriano ? mounting them directly in the container?

[jsoriano]

Could this be breaking if the user is running the registry with local packages? https://github.com/elastic/package-registry?tab=readme-ov-file#docker

how do you mean that @jsoriano ? mounting them directly in the container?

If executed with something like this:

docker run --rm -it -p 8080:8080 \
  -v /path/to/local/packages:/packages/package-registry \
  docker.elastic.co/package-registry/package-registry:main

Could it become an issue if /path/to/local/packages is not readable by all users?

[pkoutsovasilis]

yes it could 100% 🙂 do you feel that we should run a process as root to avoid having the user set proper fs permissions?

PS: users can always invoke the following and get over any issues but the choice to run as root is theirs

docker run --user 0 --rm -it -p 8080:8080 \
  -v /path/to/local/packages:/packages/package-registry \
  docker.elastic.co/package-registry/package-registry:main

[jsoriano]

do you feel that we should run a process as root to avoid having the user set proper fs permissions?

No, I support 100% this change 🙂 but I was wondering if we should update docs.

Please add also a changelog entry.

[pkoutsovasilis]

@jsoriano this should go under Breaking changes right?

[jsoriano]

@jsoriano this should go under Breaking changes right?

Yeah, I think so. Even if it could be also considered a fix 🙂

[pkoutsovasilis]

thanks for the confirmation @jsoriano , updated both CHANGELOG and README here 3698c86

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 3698c86

History

• 💚 Build #1562 succeeded 89ad8e1

cc @pkoutsovasilis

[jsoriano]

Looks good, just a last comment on the UID choice.