Why is it, that this little dockerfile creates a user dnscrypt and group of its own, without any root privileges?
How is this possible if user dnscrypt had never been created via adduser & addgroup etc?
FROM alpine:edge
RUN apk add --update --no-cache
dnscrypt-proxy=2.1.4-r1
drill=1.8.3.1
USER dnscrypt
CMD /usr/bin/dnscrypt-proxy
The documentation says that USER in dockerfile switches to a user that needs to be created first, with adduser or similar commands.
If none is created or without a group, as per the doc, USER will create a user that is assigned to group root, so it has full root privileges anyways.
I want a non-root user, but don’t understand why the above works.
Hey man, thanks for the reply. You’re right, I finally found something on stackoverflow. apk add --update automatically creates a user and group, if root is not required to run the application and no other user or group is found.
So this only works with alpine out of the box I believe. APT certainly does not do it.
On Ubuntu 22.04 the automatically created username is _dnscrypt-proxy. These usernames has nothing to do with the USER instruction in the Dockerfile, you just picked the right username to switch to. Package managers inside the container doesn’t see instructions from the Dockerfile except environment variables and build arguments (in build time)
Yeah, Metin was right (of course) it’s the package itself that creates the user and group (without the user’s consent). So this behavior will vary from package to package.