OpenShift support arbitrary user ids

Question

From this reading on https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines in the section Support Arbitrary User IDs. It's recommended for:

• an image to support running an arbitrary user
• an image to make directories and files own by root group
• an image to declare USER with the user id, not the username

Example:

RUN chgrp -R 0 /some/directory && \
    chmod -R g=u /some/directory
RUN chmod g=u /etc/passwd
ENTRYPOINT [ "uid_entrypoint" ]
USER 1001

I'm not clear with what all these mean.

• Where is user 1001 defined?
• What does g=u mean?
• What does group 0 mean?

• I've specified in my image the below to create a new user and group, and run processes as that user (non-root). Is this wrong? Can someone please help explain and provide examples - what is the correct way of doing it?

  RUN useradd -M nonroot \
      && groupadd nonrootgr \
      && chown -R nonroot:nonrootgr /var/lib/myapp
  
  USER nonroot
  

Answer 1

Where is user 1001 defined?

You need to create a non root user account with that user ID.

See: https://github.com/sclorg/s2i-base-container/blob/master/core/Dockerfile#L71

What does g=u mean?

It sets the group permissions for the directory/file to the same as what the user has.

What does group 0 mean?

The root group has group ID of 0.

I've specified in my image the below....*

See the linked example above for how to add non root user.

You must use:

USER 1001

You cannot use an account name as value for USER, it must be an integer value.