ADR-1042: Containerfile hardening — non-root USER + build-time DEBIAN_FRONTEND¶
- Status: Accepted
- Date: 2026-06-04
- Deciders: Lusoris
- Tags:
containerfile,security,docker,ci,hardening
Context¶
Three container hardening issues were identified in the R8 audit:
1. dev/Containerfile — final stage runs as root: The last USER root directive (for the pip-install step) was never followed by a USER vmaf before the ENTRYPOINT. The entrypoint script and all container processes ran as uid 0, violating the principle of least privilege.
2. Dockerfile.go-server — no USER directive: The distroless final stage had no USER instruction. gcr.io/distroless/cc-debian12 defaults to uid 0 (root) at runtime unless overridden. The distroless image ships a nonroot user (uid 65532) for exactly this purpose.
3. Dockerfile — ENV DEBIAN_FRONTEND=noninteractive persists to runtime: ENV bakes the value into every image layer and all descendant images. This is only needed during the apt-get installation steps; it should not persist into the final runtime environment. Using ARG scopes it to the build context only.
Decision¶
- Add
USER vmafafter the finalRUNblock and beforeENTRYPOINTindev/Containerfile. - Add
USER nonrootbeforeENTRYPOINTinDockerfile.go-server. The distrolessnonrootuser (uid 65532) is always present ingcr.io/distroless/cc-debian12. - Change
ENV DEBIAN_FRONTEND=noninteractivetoARG DEBIAN_FRONTEND=noninteractiveinDockerfile. TheARGvalue is available to all subsequentRUNinstructions in the build stage but is not set in the final image layer.
Alternatives considered¶
- Add a new non-root user in Dockerfile.go-server: Unnecessary; distroless provides
nonroot(uid 65532) for this purpose. - Keep
ENV DEBIAN_FRONTEND: Harmless at container runtime (no interactive apt sessions), but unnecessarily pollutes the environment of every process in the container (including the ffmpeg entrypoint).
References¶
- R8 audit:
r8-containerfile-hardeningHIGH — USER root final stage - R8 audit:
r8-containerfile-hardeningHIGH — no USER in Dockerfile.go-server - R8 audit:
r8-containerfile-hardeningHIGH — ENV DEBIAN_FRONTEND - Docker best practices:
ARGvsENVfor build-time variables