I'm building/deploying go/golang micro-services on images FROM scratch.
Is it possible to specify non-privileged execution on an image built this way -- there are only two files on the image–the go executable and a root certificate file–so there doesn't seem to be any concept of privilege within the container.
I also use read-only containers and --selinux-enabled=true --icc=false --iptables=true, but would feel more warm and fuzzy if I knew that the executable was running as a "common" non-privileged user.
You don't seem to have any choice in the user (root) running the CMD inside a container launched from an image built "FROM scratch".
But by definition of a container, that user can only influence its own (disk, memory, resources) space, not the host. So it should not matter.
The only other alternative would be to define a container from scratch only for declaring a volume container, that you would use in a full-fledged image able to run with a non-root user.
See "Running as a non-root inside a container"
$ echo 'FROM scratch
ADD data.tar /
VOLUME ["/data"]' > Dockerfile
$ docker build -t minimal .
$ docker create --name minimal minimal :
The container that mounts this minimal volume container needs to create the user with id 1000:
$ docker run --rm --volumes-from minimal -it debian:jessie /bin/bash -c 'useradd postgres && ls -l /data'
That is not what you need (since the Go program does not need any dynamic libraries, and can run solely on system calls). But that illustrates how a non-root user can use a "FROM scratch" container (here as a volume)