How to add user to Docker image with limited read only permissions?

Question

My goal is to configure docker image, where I will use it via rootless user and this user can read only jar files.

What I have done in Dockerfile:

...something...
ARG USERNAME=MyCustomUser
ARG USER_UID=10001
ARG USER_GID=$USER_UID

RUN groupadd --gid $USER_GID $USERNAME \
    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \
...something...

But how can I configure read permissions in file system only to jar files?

Answer 1

Just don't install anything else in the container. The container runs in a restricted environment, and can't normally access files outside the container (enforced by Docker), so you don't need to specifically set permissions or disallow other things.

Say the Dockerfile contains only:

FROM eclipse-temurin:17
RUN adduser --system custom
WORKDIR /app
COPY ./target/app.jar ./
USER custom
CMD ["java", "-jar", "app.jar"]

There is nothing in the image beyond a set of base tools, the JVM, and the jar file, so you can't do anything else inside the container. Furthermore, the jar file is owned by root but the container (by default) runs as a non-root user, so you can't overwrite anything in the image.

The user name and ID in the container normally do not need to match any particular host user, and in this example I've chosen a fixed name and let adduser(8) pick the ID for me. If you need a different user ID (to write to a bind-mounted host directory for example) you can specify the numeric user ID when you run the container. You do not need to "create the user" per se, and you do not want to rebuild the image just because someone else is running it. Do not try to pass a user ID as a build-time ARG.