4.2.11.2 USER Account Creation

USER account creation refers to the step, typically a RUN useradd or equivalent instruction, of explicitly creating a dedicated unprivileged user account inside an image before switching to it with USER, since a suitable non-root account does not always already exist in a given base image.

Creating a User on Debian-Based Images

Debian and Ubuntu-based images typically use useradd to create a new user account, optionally with a home directory.

RUN useradd --create-home --shell /bin/bash appuser
USER appuser

The --create-home flag ensures the user has a proper home directory, which some applications expect to exist.

Creating a User on Alpine-Based Images

Alpine uses a different set of user management tools, since it does not include the same GNU utilities by default.

RUN adduser -D appuser
USER appuser

The -D flag creates the user without requiring a password, appropriate for a user that will never need interactive login.

Creating a User With a Specific Numeric ID

Specifying a particular numeric user ID, rather than letting the system assign one automatically, can be useful for ensuring consistent ownership behavior across different images or when matching a UID expected by a mounted volume.

RUN useradd --uid 1000 --create-home appuser

Creating Both a User and a Dedicated Group

Creating a dedicated group alongside the user, rather than relying on a default group, gives finer control over file ownership and permissions.

RUN groupadd -r appgroup && useradd -r -g appgroup appuser
USER appuser:appgroup

The -r flag here creates a system account and group, conventionally used for service accounts rather than accounts meant for interactive use.

Why Explicit Account Creation Matters

Explicitly creating a dedicated, purpose-specific user account, rather than relying on whatever might already exist in a base image, gives precise control over the account's properties and ensures the resulting USER instruction switches to an account that behaves exactly as intended.