From 800b134057588256b3e666a05ec0b6a02c430e0a Mon Sep 17 00:00:00 2001 From: King'ori Maina Date: Mon, 16 Mar 2026 13:47:50 +0200 Subject: [PATCH 01/10] Add Dockerfile, changelog, and licence MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ubuntu 24.04-based image carrying the Docker CLI (29.3.0), Docker Buildx plugin (0.31.1), and the Amazon ECR credential helper (0.12.0). Runs as a non-root builder user (UID/GID 1001). The image is designed for running docker buildx build against remote BuildKit daemons using the remote driver — no Docker Engine daemon is needed. ECR authentication is handled by docker-credential-ecr-login via IRSA; the Docker CLI config (credHelpers) is provided at runtime rather than baked into the image. --- CHANGELOG.md | 9 +++++++++ Dockerfile | 44 ++++++++++++++++++++++++++++++++++++++++++++ LICENSE.md | 21 +++++++++++++++++++++ 3 files changed, 74 insertions(+) create mode 100644 CHANGELOG.md create mode 100644 Dockerfile create mode 100644 LICENSE.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..d18098a --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,9 @@ +# Changelog + +## 1.0.0 + +* Use Ubuntu 24.04 (LTS) as upstream base image. +* Set up `builder` user and group with UID and GID of `1001`. +* Install Docker CLI v`29.3.0`. +* Install Docker Buildx Plugin v`0.31.1`. +* Install Amazon ECR Credential Helper v`0.12.0`. diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..41099b9 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,44 @@ +FROM ubuntu:24.04 + +SHELL ["/bin/bash", "-c"] + +ARG DEBIAN_FRONTEND=noninteractive +ARG TARGETARCH + +RUN apt-get update -y && \ + apt-get install --no-install-recommends -y \ + ca-certificates \ + curl \ + wget && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Docker +ARG DOCKER_BUILDX_PLUGIN_VERSION="0.31.1-1" +ARG DOCKER_CLI_VERSION="5:29.3.0-1" +RUN mkdir -p /etc/apt/keyrings && \ + curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc && \ + chmod a+r /etc/apt/keyrings/docker.asc && \ + echo "deb [arch=${TARGETARCH} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu noble stable" > /etc/apt/sources.list.d/docker.list && \ + apt-get update -y && \ + apt-get install --no-install-recommends -y \ + docker-buildx-plugin=${DOCKER_BUILDX_PLUGIN_VERSION}~ubuntu.24.04~noble \ + docker-ce-cli=${DOCKER_CLI_VERSION}~ubuntu.24.04~noble && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# AECH (Amazon ECR Credential Helper) +ARG AECH_VERSION="0.12.0" +RUN cd /tmp && \ + wget --progress=dot:mega "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${AECH_VERSION}/linux-${TARGETARCH}/docker-credential-ecr-login" && \ + wget --progress=dot:mega "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${AECH_VERSION}/linux-${TARGETARCH}/docker-credential-ecr-login.sha256" && \ + cat "docker-credential-ecr-login.sha256" | sha256sum -c - && \ + chmod +x "./docker-credential-ecr-login" && \ + mv "./docker-credential-ecr-login" "/usr/local/bin/docker-credential-ecr-login" && \ + rm -rf /tmp/* + +# Create user +ARG APP_USER="builder" +RUN groupadd -g 1001 ${APP_USER} && \ + useradd --system --create-home -u 1001 -g 1001 ${APP_USER} + +USER ${APP_USER}:${APP_USER} +CMD ["/bin/bash"] diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..69b3895 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2026 Zappi + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. From 604b0565ef38063bbcf3b669cda8a2bd577913af Mon Sep 17 00:00:00 2001 From: King'ori Maina Date: Mon, 16 Mar 2026 13:48:01 +0200 Subject: [PATCH 02/10] Add CI workflows for test and release test.yml runs on every PR to main and validates that the image builds successfully for both linux/amd64 and linux/arm64 using QEMU and Docker Buildx, without pushing. release.yml triggers on any tag push. It creates a GitHub Release, then builds and pushes the multi-arch image to Docker Hub as zappi/image-builder, and syncs the README to Docker Hub via peter-evans/dockerhub-description. --- .github/workflows/release.yml | 61 +++++++++++++++++++++++++++++++++++ .github/workflows/test.yml | 35 ++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..ecd53ab --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,61 @@ +name: Release + +on: + push: + tags: + - "*" + +env: + IMAGE: zappi/image-builder + +jobs: + github-release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Create Release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ github.ref }} + release_name: Version ${{ github.ref }} + draft: false + prerelease: false + docker-hub-release: + needs: github-release + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Prepare image metadata + id: metadata + uses: docker/metadata-action@v5 + with: + images: ${{ env.IMAGE }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} + - name: Build, tag, and push image to Amazon ECR + uses: docker/build-push-action@v6 + with: + cache-from: type=gha + cache-to: type=gha,mode=max + context: . + labels: ${{ steps.metadata.outputs.labels }} + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.metadata.outputs.tags }} + - name: Update description on Docker Hub Description + uses: peter-evans/dockerhub-description@v4 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} + repository: ${{ env.IMAGE }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..12e8dd2 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,35 @@ +name: Test + +on: + pull_request: + branches: + - "main" + +env: + IMAGE: zappi/image-builder + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Prepare image metadata + id: metadata + uses: docker/metadata-action@v5 + with: + images: ${{ env.IMAGE }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Test multi-arch building of image + uses: docker/build-push-action@v6 + with: + cache-from: type=gha + cache-to: type=gha,mode=max + context: . + labels: ${{ steps.metadata.outputs.labels }} + platforms: linux/amd64,linux/arm64 + push: false + tags: ${{ steps.metadata.outputs.tags }} From 8dc6a03526b19dd9a9759f72a8c6b1b84b78fd47 Mon Sep 17 00:00:00 2001 From: King'ori Maina Date: Mon, 16 Mar 2026 13:48:09 +0200 Subject: [PATCH 03/10] Add CODEOWNERS Assigns @Intellection/SRE as the default owner for all files in the repository. --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..f83760b --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @Intellection/SRE From bb958af57dffa7a8b75af9372a617b454bf4e718 Mon Sep 17 00:00:00 2001 From: King'ori Maina Date: Mon, 16 Mar 2026 13:48:36 +0200 Subject: [PATCH 04/10] Add README content Describes the image purpose, bundled components with versions, how the Docker CLI config is expected to be provided at runtime, and links to the upstream projects (Docker CLI, Buildx, ECR credential helper). --- README.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/README.md b/README.md index 30e8f65..e8c9d58 100644 --- a/README.md +++ b/README.md @@ -1 +1,43 @@ # Docker Image Builder + +A purpose-built image for running `docker buildx build` against remote [BuildKit](https://github.com/moby/buildkit) daemons and pushing to Amazon ECR. It carries only what is needed for this role — no Docker Engine daemon, no `git`, no `aws` CLI. + +Published to Docker Hub as [`zappi/image-builder`](https://hub.docker.com/r/zappi/image-builder). Built for `linux/amd64` and `linux/arm64`. + +## Contents + +| Component | Version | +|-----------|---------| +| Base image | Ubuntu 24.04 LTS | +| [Docker CLI](https://github.com/docker/cli) | 29.3.0 | +| [Docker Buildx plugin](https://github.com/docker/buildx) | 0.31.1 | +| [Amazon ECR Credential Helper](https://github.com/awslabs/amazon-ecr-credential-helper) | 0.12.0 | + +The image runs as a non-root `builder` user (UID/GID `1001`). + +## Docker CLI configuration + +No `~/.docker/config.json` is baked into the image. It is expected to be provided at runtime — for example, mounted via a Kubernetes ConfigMap. + +The config should wire the ECR credential helper for the registries the builder needs to authenticate with: + +```json +{ + "credHelpers": { + "public.ecr.aws": "ecr-login", + ".dkr.ecr..amazonaws.com": "ecr-login" + } +} +``` + +The ECR credential helper (`docker-credential-ecr-login`) is already present in the image. In a Kubernetes context, ECR authentication is handled via IRSA — no static AWS credentials are required. + +## Releases + +Images are tagged and pushed to Docker Hub on every [GitHub Release](https://github.com/Intellection/docker-image-builder/releases). Tags follow the version in the release (e.g. `zappi/image-builder:1.0.0`). + +## References + +- [docker/cli](https://github.com/docker/cli) +- [docker/buildx](https://github.com/docker/buildx) +- [awslabs/amazon-ecr-credential-helper](https://github.com/awslabs/amazon-ecr-credential-helper) From 803b68814ee9ae41213ffa5bc264cb30f8424052 Mon Sep 17 00:00:00 2001 From: King'ori Maina Date: Mon, 16 Mar 2026 14:44:41 +0200 Subject: [PATCH 05/10] Replace wget with curl for ECR credential helper download curl is already required for fetching the Docker apt repository GPG key. Using it for the ECR credential helper download as well removes wget as a dependency. --- CHANGELOG.md | 1 + Dockerfile | 7 +++---- README.md | 2 ++ 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d18098a..85dc6c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ * Use Ubuntu 24.04 (LTS) as upstream base image. * Set up `builder` user and group with UID and GID of `1001`. +* Install `ca-certificates` and `curl`. * Install Docker CLI v`29.3.0`. * Install Docker Buildx Plugin v`0.31.1`. * Install Amazon ECR Credential Helper v`0.12.0`. diff --git a/Dockerfile b/Dockerfile index 41099b9..219dd01 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,8 +8,7 @@ ARG TARGETARCH RUN apt-get update -y && \ apt-get install --no-install-recommends -y \ ca-certificates \ - curl \ - wget && \ + curl && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* # Docker @@ -28,8 +27,8 @@ RUN mkdir -p /etc/apt/keyrings && \ # AECH (Amazon ECR Credential Helper) ARG AECH_VERSION="0.12.0" RUN cd /tmp && \ - wget --progress=dot:mega "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${AECH_VERSION}/linux-${TARGETARCH}/docker-credential-ecr-login" && \ - wget --progress=dot:mega "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${AECH_VERSION}/linux-${TARGETARCH}/docker-credential-ecr-login.sha256" && \ + curl -fSL -o "docker-credential-ecr-login" "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${AECH_VERSION}/linux-${TARGETARCH}/docker-credential-ecr-login" && \ + curl -fSL -o "docker-credential-ecr-login.sha256" "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${AECH_VERSION}/linux-${TARGETARCH}/docker-credential-ecr-login.sha256" && \ cat "docker-credential-ecr-login.sha256" | sha256sum -c - && \ chmod +x "./docker-credential-ecr-login" && \ mv "./docker-credential-ecr-login" "/usr/local/bin/docker-credential-ecr-login" && \ diff --git a/README.md b/README.md index e8c9d58..3d0d953 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,8 @@ Published to Docker Hub as [`zappi/image-builder`](https://hub.docker.com/r/zapp The image runs as a non-root `builder` user (UID/GID `1001`). +System packages (unpinned): `ca-certificates`, `curl` + ## Docker CLI configuration No `~/.docker/config.json` is baked into the image. It is expected to be provided at runtime — for example, mounted via a Kubernetes ConfigMap. From 61e0e82c212860c8d8477f34c38d4c07172d8a8e Mon Sep 17 00:00:00 2001 From: King'ori Maina Date: Mon, 16 Mar 2026 14:53:38 +0200 Subject: [PATCH 06/10] Broaden README scope and clarify credential chain The opening paragraph previously framed the image as ECR-specific. Widened to describe the general purpose: building and pushing container images via remote BuildKit daemons. The credential helper description previously called out IRSA specifically. Updated to reference the standard AWS credential chain, which is what the helper actually follows. --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 3d0d953..7612a75 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Docker Image Builder -A purpose-built image for running `docker buildx build` against remote [BuildKit](https://github.com/moby/buildkit) daemons and pushing to Amazon ECR. It carries only what is needed for this role — no Docker Engine daemon, no `git`, no `aws` CLI. +A purpose-built image for building and pushing container images via remote [BuildKit](https://github.com/moby/buildkit) daemons. It carries only what is needed for this role — no Docker Engine daemon, no `git`, no build toolchains. Published to Docker Hub as [`zappi/image-builder`](https://hub.docker.com/r/zappi/image-builder). Built for `linux/amd64` and `linux/arm64`. @@ -15,12 +15,12 @@ Published to Docker Hub as [`zappi/image-builder`](https://hub.docker.com/r/zapp The image runs as a non-root `builder` user (UID/GID `1001`). -System packages (unpinned): `ca-certificates`, `curl` - -## Docker CLI configuration +## Docker CLI Configuration No `~/.docker/config.json` is baked into the image. It is expected to be provided at runtime — for example, mounted via a Kubernetes ConfigMap. +### AWS ECR Credential Helper Configuration + The config should wire the ECR credential helper for the registries the builder needs to authenticate with: ```json @@ -32,7 +32,7 @@ The config should wire the ECR credential helper for the registries the builder } ``` -The ECR credential helper (`docker-credential-ecr-login`) is already present in the image. In a Kubernetes context, ECR authentication is handled via IRSA — no static AWS credentials are required. +The ECR credential helper (`docker-credential-ecr-login`) is already present in the image. It follows the standard [AWS credential chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html#credentialProviders), so no static credentials need to be baked into the image. ## Releases From f0dd389053ac9abb4827717b16e82689cfda14f9 Mon Sep 17 00:00:00 2001 From: King'ori Maina Date: Mon, 16 Mar 2026 14:59:43 +0200 Subject: [PATCH 07/10] Set default working directory to builder user home Without an explicit WORKDIR, containers start in / which is not writable by the non-root builder user. --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 219dd01..61ad402 100644 --- a/Dockerfile +++ b/Dockerfile @@ -39,5 +39,6 @@ ARG APP_USER="builder" RUN groupadd -g 1001 ${APP_USER} && \ useradd --system --create-home -u 1001 -g 1001 ${APP_USER} +WORKDIR /home/${APP_USER} USER ${APP_USER}:${APP_USER} CMD ["/bin/bash"] From ff50ef950686f38af4f9ee0c1701cfc297a48121 Mon Sep 17 00:00:00 2001 From: King'ori Maina Date: Mon, 16 Mar 2026 15:03:52 +0200 Subject: [PATCH 08/10] Bump CI actions to Node.js 24-compatible versions All Docker actions (metadata, qemu, buildx, build-push, login) bumped to their latest major versions. actions/checkout bumped from v4 to v6. peter-evans/dockerhub-description bumped from v4 to v5. Replaces the archived actions/create-release@v1 (stuck on Node.js 12, no longer maintained) with a gh release create shell step. --- .github/workflows/release.yml | 29 ++++++++++++----------------- .github/workflows/test.yml | 10 +++++----- 2 files changed, 17 insertions(+), 22 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ecd53ab..97ed771 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,38 +13,33 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Create Release - uses: actions/create-release@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ github.ref }} - release_name: Version ${{ github.ref }} - draft: false - prerelease: false + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: gh release create "${{ github.ref_name }}" --title "Version ${{ github.ref_name }}" docker-hub-release: needs: github-release runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Prepare image metadata id: metadata - uses: docker/metadata-action@v5 + uses: docker/metadata-action@v6 with: images: ${{ env.IMAGE }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_TOKEN }} - - name: Build, tag, and push image to Amazon ECR - uses: docker/build-push-action@v6 + - name: Build, tag, and push image to Docker Hub + uses: docker/build-push-action@v7 with: cache-from: type=gha cache-to: type=gha,mode=max @@ -53,8 +48,8 @@ jobs: platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.metadata.outputs.tags }} - - name: Update description on Docker Hub Description - uses: peter-evans/dockerhub-description@v4 + - name: Update description on Docker Hub + uses: peter-evans/dockerhub-description@v5 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_TOKEN }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 12e8dd2..b4afcfc 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,18 +13,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Prepare image metadata id: metadata - uses: docker/metadata-action@v5 + uses: docker/metadata-action@v6 with: images: ${{ env.IMAGE }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: Test multi-arch building of image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: cache-from: type=gha cache-to: type=gha,mode=max From f65c6b1749c98b760cab50a6ac86f5150aeff692 Mon Sep 17 00:00:00 2001 From: King'ori Maina Date: Mon, 16 Mar 2026 15:19:12 +0200 Subject: [PATCH 09/10] Narrow release tag filter to semver tags The previous wildcard matched any tag, which would trigger a GitHub Release and Docker Hub push for non-version tags like 'test' or 'experiment'. Restricting to X.Y.Z-shaped tags prevents unintended releases. --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 97ed771..eba37b2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,7 +3,7 @@ name: Release on: push: tags: - - "*" + - "[0-9]+.[0-9]+.[0-9]+" env: IMAGE: zappi/image-builder From 547e703a8683ab71e018ac7dbb55672e4ba54aed Mon Sep 17 00:00:00 2001 From: King'ori Maina Date: Mon, 16 Mar 2026 15:19:23 +0200 Subject: [PATCH 10/10] Drop --system flag from useradd --system sets the default shell to /usr/sbin/nologin, which is inconsistent with the /bin/bash CMD. The flag's protections (nologin shell, hidden from login screens) have no practical effect in a container. Without it, the user gets /bin/bash as its shell by default, matching the container's intended behaviour. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 61ad402..7901467 100644 --- a/Dockerfile +++ b/Dockerfile @@ -37,7 +37,7 @@ RUN cd /tmp && \ # Create user ARG APP_USER="builder" RUN groupadd -g 1001 ${APP_USER} && \ - useradd --system --create-home -u 1001 -g 1001 ${APP_USER} + useradd --create-home -u 1001 -g 1001 ${APP_USER} WORKDIR /home/${APP_USER} USER ${APP_USER}:${APP_USER}