SLE BCI Documentation
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
Edit page

Adding Users to SLE BCI Micro and Minimal

This guide will demonstrate how to add users to the SLE BCI Micro and SLE BCI Minimal images, without having the useradd binary installed.

Background

The SLE BCI Micro and Minimal images are tailored towards providing a small footprint and thus do not ship the useradd binary. While this reduces the image size, creating new users inside containers based on BCI Micro or Minimal involves a few additional steps.

Switch to using the BusyBox SLE BCI

SLE BCI Minimal and SLE BCI Micro are lightweight deployment images without a package manager and tailored for specific use cases. If you do not require a package manager in your final image and additionally:

  1. you do not need rpm

  2. your application runs with POSIX sh and not just Bash

then consider using the SLE BCI BusyBox image instead. It is even smaller than SLE BCI Micro and ships the BusyBox implementation of useradd. Adding a new user in BusyBox is straightforward:

FROM registry.suse.com/bci/bci-busybox:15.4
ARG user

# add -H if /home/$user shall not be created
RUN adduser -D $user

USER $user

This container can be built using your favorite container runtime as follows:

docker build --build-arg user=rancher .
buildah bud --layers --build-arg user=rancher .
nerdctl build --build-arg user=rancher .

Using the Base Container to create the User Account

We can utilize a multistage build to create the user in a container that provides the useradd binary and then copy all necessary files into SLE BCI Micro or SLE BCI Minimal. This is achieved using the following Dockerfile:

FROM registry.suse.com/bci/bci-base:15.4 as useradder
ARG user
# omit -m if you don't want /home/$user to be created
RUN useradd -m $user


FROM registry.suse.com/bci/bci-micro:15.4
ARG user

COPY --from=useradder /etc/passwd /etc/passwd
COPY --from=useradder /etc/group /etc/group
COPY --from=useradder /etc/shadow /etc/shadow

# subgid & subuid are rarely necessary in containers
# COPY --from=useradder /etc/subgid /etc/subgid
# COPY --from=useradder /etc/subuid /etc/subuid

# some applications will send your user emails, in case yours does that,
# uncomment the following line
# COPY --from=useradder /var/spool/mail/$user /var/spool/mail/$user

# only include this if you kept the -m flag to useradd
COPY --from=useradder /home/$user /home/$user

USER $user

# remaining build / copy instructions go here

Build your container image using your favorite container runtime using the --build-arg parameter as in Switch to using the BusyBox SLE BCI.

Using BusyBox to create the User Account

We can leverage the adduser implementation from BusyBox to create new users in SLE BCI Minimal, by installing BusyBox inside the Minimal image and then executing its adduser. This will not work in the Micro image as it lacks rpm to install BusyBox.

This approach will leave two rpm files inside a layer of your final container image, thereby making it slightly bigger than necessary. Consider squashing the layers to remove this overhead.

We utilize the SLE BCI Base container once again to download the rpms of BusyBox and libsepol1 (a dependency of BusyBox), copy both rpms into the Minimal image, add the user and remove both packages afterwards:

FROM registry.suse.com/bci/bci-base:15.4 as downloader
RUN zypper download busybox libsepol1

FROM registry.suse.com/bci/bci-minimal:15.4
ARG user
ARG arch=x86_64

COPY --from=downloader /var/cache/zypp/packages/SLE_BCI/$arch/*rpm /tmp/

RUN rpm -i /tmp/libsepol1*rpm && rpm -i /tmp/busybox*rpm && \
    busybox adduser -D $user && \
    rpm -e busybox && rpm -e libsepol1 && rm -rf /tmp/*rpm

USER $user

Building this container image requires the additional build argument arch when building on non-x86_64 systems. We also squash the layers, if supported by the container runtime. Currently nerdctl does not support squashing and Docker requires to be launched with experimental features enabled.

docker build --build-arg user=rancher \
             --build-arg arch=$(uname -m) \
             --squash .
buildah bud --build-arg user=rancher \
            --build-arg arch=$(uname -m) \
            --squash .
nerdctl build --build-arg user=rancher \
              --build-arg arch=$(uname -m) .