Running container as non-root user is one of the most popular best practices for security. This approach prevent malicious code from gaining permission in the container host.
Running as non-root might require a couple of additional steps in your Dockerfile, as now you will need to:
1. Make sure the user specified in the USER instruction exists inside the container.
2. Provide appropriate file system permissions in the locations where the process will be reading or writing.
Example: -
xxxxxxxxxx
FROM alpine:3.12
# Create user and set ownership and permissions as required
RUN adduser -D myuser && chown -R myuser /myapp-data
# … copy application files
USER myuser
ENTRYPOINT [“/myapp”]
Tip: — you can change file permission while copying the files in multi-stage build like.
COPY --chown=myuser:myuser –from=builder /app/target/app.jar