Skip to content

specify non-root user in Dockerfile#1503

Merged
pkoutsovasilis merged 2 commits intoelastic:mainfrom
pkoutsovasilis:pkoutsovasilis/nonroot_dockerfile
Dec 18, 2025
Merged

specify non-root user in Dockerfile#1503
pkoutsovasilis merged 2 commits intoelastic:mainfrom
pkoutsovasilis:pkoutsovasilis/nonroot_dockerfile

Conversation

@pkoutsovasilis
Copy link
Contributor

@pkoutsovasilis pkoutsovasilis commented Dec 16, 2025
edited
Loading

Summary

Specify a non-root user (UID 1000) in the Dockerfile to improve security and compatibility with Kubernetes security contexts.

Motivation

The current Dockerfile runs as root (UID 0) by default, which:

  • Conflicts with RunAsNonRoot: true security contexts in Kubernetes
  • Requires explicit runAsUser overrides in pod specifications
  • Is generally discouraged as a security best practice

Changes

  • Added USER 1000 directive before the ENTRYPOINT to run the package-registry process as a non-root user

Benefits

  • Kubernetes: Eliminates the need to explicitly set runAsUser in pod specs when using RunAsNonRoot: true
  • OpenShift: Works seamlessly with the default restricted SCC, which automatically remaps the UID to the namespace's allocated range
  • Security: Follows the principle of least privilege by not running as root

@pkoutsovasilis pkoutsovasilis self-assigned this Dec 16, 2025
@pkoutsovasilis pkoutsovasilis requested a review from a team as a code owner December 16, 2025 09:56
@prodsecmachine
Copy link

prodsecmachine commented Dec 16, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@jsoriano
Copy link
Member

jsoriano commented Dec 16, 2025

This change is backwards compatible as container orchestrators can still override the user if needed.

Could this be breaking if the user is running the registry with local packages? https://github.com/elastic/package-registry?tab=readme-ov-file#docker

@pkoutsovasilis
Copy link
Contributor Author

pkoutsovasilis commented Dec 16, 2025
edited
Loading

Could this be breaking if the user is running the registry with local packages? https://github.com/elastic/package-registry?tab=readme-ov-file#docker

how do you mean that @jsoriano ? mounting them directly in the container?

@jsoriano
Copy link
Member

jsoriano commented Dec 16, 2025

Could this be breaking if the user is running the registry with local packages? https://github.com/elastic/package-registry?tab=readme-ov-file#docker

how do you mean that @jsoriano ? mounting them directly in the container?

If executed with something like this:

docker run --rm -it -p 8080:8080 \
  -v /path/to/local/packages:/packages/package-registry \
  docker.elastic.co/package-registry/package-registry:main

Could it become an issue if /path/to/local/packages is not readable by all users?

@pkoutsovasilis
Copy link
Contributor Author

pkoutsovasilis commented Dec 16, 2025

yes it could 100% 🙂 do you feel that we should run a process as root to avoid having the user set proper fs permissions?

PS: users can always invoke the following and get over any issues but the choice to run as root is theirs

docker run --user 0 --rm -it -p 8080:8080 \
  -v /path/to/local/packages:/packages/package-registry \
  docker.elastic.co/package-registry/package-registry:main

@pkoutsovasilis pkoutsovasilis mentioned this pull request Dec 16, 2025
Merged
@jsoriano
Copy link
Member

jsoriano commented Dec 16, 2025

do you feel that we should run a process as root to avoid having the user set proper fs permissions?

No, I support 100% this change 🙂 but I was wondering if we should update docs.

Please add also a changelog entry.

@pkoutsovasilis
Copy link
Contributor Author

pkoutsovasilis commented Dec 17, 2025

@jsoriano this should go under Breaking changes right?

@jsoriano
Copy link
Member

jsoriano commented Dec 17, 2025

@jsoriano this should go under Breaking changes right?

Yeah, I think so. Even if it could be also considered a fix 🙂

@pkoutsovasilis
Copy link
Contributor Author

pkoutsovasilis commented Dec 17, 2025

thanks for the confirmation @jsoriano , updated both CHANGELOG and README here 3698c86

@elasticmachine
Copy link

elasticmachine commented Dec 17, 2025

💚 Build Succeeded

History

cc @pkoutsovasilis

jsoriano
jsoriano reviewed Dec 18, 2025
View reviewed changes
Copy link
Member

@jsoriano jsoriano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a last comment on the UID choice.

@pkoutsovasilis pkoutsovasilis merged commit 861e188 into elastic:main Dec 18, 2025
5 checks passed
@pkoutsovasilis pkoutsovasilis deleted the pkoutsovasilis/nonroot_dockerfile branch December 18, 2025 11:50
@pkoutsovasilis pkoutsovasilis mentioned this pull request Dec 22, 2025
Closed
@jsoriano jsoriano mentioned this pull request Jan 13, 2026
Merged
@pkoutsovasilis pkoutsovasilis mentioned this pull request Jan 28, 2026
Merged
pkoutsovasilis added a commit to elastic/cloud-on-k8s that referenced this pull request Jan 30, 2026
@pkoutsovasilis
Support runAsNonRoot true for recent versions of EPR (#8974)
5850956 
## Summary

This PR adds support for `runAsNonRoot: true` in the security context for Elastic Package Registry (EPR) pods on versions that support running as non-root.

Following [elastic/package-registry#1503](elastic/package-registry#1503), newer versions of the package registry can run as a non-root user.

 This change enables the `runAsNonRoot` security context setting for the following versions:

- **9.3.0+**
- **9.2.4+**
- **9.1.10+**
- **8.19.10+**

For older versions, `runAsNonRoot` is left unset (nil) to maintain backward compatibility.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsoriano jsoriano jsoriano approved these changes

Assignees

@pkoutsovasilis pkoutsovasilis

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pkoutsovasilis @prodsecmachine @jsoriano @elasticmachine