Adding Users to SLE BCI Micro and Minimal
This guide will demonstrate how to add users to the SLE BCI Micro and SLE BCI Minimal images, without having the
The SLE BCI Micro and Minimal images are tailored towards providing a small
footprint and thus do not ship the
useradd binary. While this reduces the
image size, creating new users inside containers based on BCI Micro or Minimal
involves a few additional steps.
Switch to using the BusyBox SLE BCI
SLE BCI Minimal and SLE BCI Micro are lightweight deployment images without a package manager and tailored for specific use cases. If you do not require a package manager in your final image and additionally:
you do not need
your application runs with POSIX
shand not just Bash
then consider using the SLE BCI BusyBox image instead. It is even smaller than SLE BCI
Micro and ships the BusyBox implementation of
useradd. Adding a new user in
BusyBox is straightforward:
FROM registry.suse.com/bci/bci-busybox:15.4 ARG user # add -H if /home/$user shall not be created RUN adduser -D $user USER $user
This container can be built using your favorite container runtime as follows:
docker build --build-arg user=rancher .
buildah bud --layers --build-arg user=rancher .
nerdctl build --build-arg user=rancher .
Using the Base Container to create the User Account
We can utilize a multistage build to create the user in a container that
useradd binary and then copy all necessary files into SLE BCI
Micro or SLE BCI Minimal. This is achieved using the following
FROM registry.suse.com/bci/bci-base:15.4 as useradder ARG user # omit -m if you don't want /home/$user to be created RUN useradd -m $user FROM registry.suse.com/bci/bci-micro:15.4 ARG user COPY --from=useradder /etc/passwd /etc/passwd COPY --from=useradder /etc/group /etc/group COPY --from=useradder /etc/shadow /etc/shadow # subgid & subuid are rarely necessary in containers # COPY --from=useradder /etc/subgid /etc/subgid # COPY --from=useradder /etc/subuid /etc/subuid # some applications will send your user emails, in case yours does that, # uncomment the following line # COPY --from=useradder /var/spool/mail/$user /var/spool/mail/$user # only include this if you kept the -m flag to useradd COPY --from=useradder /home/$user /home/$user USER $user # remaining build / copy instructions go here
Build your container image using your favorite container runtime using the
--build-arg parameter as in Switch to
using the BusyBox SLE BCI.
Using BusyBox to create the User Account
We can leverage the
adduser implementation from BusyBox to create new users
in SLE BCI Minimal, by installing BusyBox inside the Minimal image and then
adduser. This will not work in the Micro image as it lacks
rpm to install BusyBox.
This approach will leave two rpm files inside a layer of your final container image, thereby making it slightly bigger than necessary. Consider squashing the layers to remove this overhead.
We utilize the SLE BCI Base container once again to download the rpms of BusyBox and
libsepol1 (a dependency of BusyBox), copy both rpms into the Minimal image,
add the user and remove both packages afterwards:
FROM registry.suse.com/bci/bci-base:15.4 as downloader RUN zypper download busybox libsepol1 FROM registry.suse.com/bci/bci-minimal:15.4 ARG user ARG arch=x86_64 COPY --from=downloader /var/cache/zypp/packages/SLE_BCI/$arch/*rpm /tmp/ RUN rpm -i /tmp/libsepol1*rpm && rpm -i /tmp/busybox*rpm && \ busybox adduser -D $user && \ rpm -e busybox && rpm -e libsepol1 && rm -rf /tmp/*rpm USER $user
Building this container image requires the additional build argument
building on non-x86_64 systems. We also squash the layers, if supported by the
container runtime. Currently
nerdctl does not support squashing and Docker
requires to be launched with experimental features enabled.
docker build --build-arg user=rancher \ --build-arg arch=$(uname -m) \ --squash .
buildah bud --build-arg user=rancher \ --build-arg arch=$(uname -m) \ --squash .
nerdctl build --build-arg user=rancher \ --build-arg arch=$(uname -m) .