In our distroless Dockerfiles, we create a non-root user in order to have things run without root privileges by default. When this was first defined, it was thought that a home directory for this user was unnecessary.

But there are some usability issues with not having a home directory. Some Linux tools, and perhaps the .NET application code itself, may expect that a home directory exists for the user.

For example, the docker CLI has functionality which will attempt to write to the$HOME/.docker/config.json path. When it attempts to create the/home/app directory in a .NET distroless container, it gets the following error:Error saving credentials: mkdir /home/app: permission denied.

As a result of not having this home directory by default, developers wishing to have one must resort to configuring it in their own Dockerfile which is made even more complicated by the fact that you can't create the directory directly in the distroless stage (due to no shell). By having a multi-stage Dockerfile with a staging directory, the workaround would look like this:

RUN homeDir="/staging/home/app" \    && mkdir -p $homeDir \    && chown -R app $homeDir

This issue proposes that the distroless Dockerfiles should be configured to create a home directory for the non-root user.