From a1562cd3d86ba9a0ed8dbc64a8f74d7a3b90edb9 Mon Sep 17 00:00:00 2001 From: memory Date: Fri, 26 May 2017 09:04:03 -0700 Subject: [PATCH] Suggest passing --no-log-init to adduser Running `useradd` without `--no-log-init` risks triggering a resource exhaustion issue: https://github.com/moby/moby/issues/15585 https://github.com/moby/moby/issues/5419 https://github.com/golang/go/issues/13548 --- .../userguide/eng-image/dockerfile_best-practices.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/engine/userguide/eng-image/dockerfile_best-practices.md b/engine/userguide/eng-image/dockerfile_best-practices.md index a0ab9bbbaaa..b98d0f38028 100644 --- a/engine/userguide/eng-image/dockerfile_best-practices.md +++ b/engine/userguide/eng-image/dockerfile_best-practices.md @@ -513,12 +513,20 @@ parts of your image. If a service can run without privileges, use `USER` to change to a non-root user. Start by creating the user and group in the `Dockerfile` with something -like `RUN groupadd -r postgres && useradd -r -g postgres postgres`. +like `RUN groupadd -r postgres && useradd --no-log-init -r -g postgres postgres`. > **Note**: Users and groups in an image get a non-deterministic > UID/GID in that the “next” UID/GID gets assigned regardless of image > rebuilds. So, if it’s critical, you should assign an explicit UID/GID. +> **Note**: Due to an [unresolved bug](https://github.com/golang/go/issues/13548) +> in the Go archive/tar package's handling of sparse files, attempting to +> create a user with a sufficiently large UID inside a Docker container can +> lead to disk exhaustion as `/var/log/faillog` in the container layer is +> filled with NUL (\0) characters. Passing the `--no-log-init` flag to +> useradd works around this issue. The Debian/Ubuntu `adduser` wrapper +> does not support the `--no-log-init` flag and should be avoided. + You should avoid installing or using `sudo` since it has unpredictable TTY and signal-forwarding behavior that can cause more problems than it solves. If you absolutely need functionality similar to `sudo` (e.g., initializing the