Matching upstream configuration for Flux images

TL;DR: Chainguard is updating several Flux images to more closely match their comparable upstream equivalents.

What is changing?

Chainguard is updating several Flux images to more closely match their comparable upstream equivalents. The changes are limited to the image entrypoints and the default runtime user.

Entrypoint changes

The entrypoint for each image is being updated to match the upstream configuration, moving from absolute binary paths (or Chainguard-specific invocation) to the upstream entrypoint commands:

Runtime user changes

Across all of the images listed above, the default runtime UID/GID is changing: to: 65534

This matches the upstream non-root user used by the official Flux images.

Why is Chainguard making this change?

Aligning entrypoints and runtime users with upstream improves consistency, reduces behavioral differences when switching between upstream and Chainguard images, and simplifies operational expectations for users already familiar with Flux’s official images.

How will this affect me?

For the vast majority of users, there is no impact and no change in behavior.

• The images continue to run as non-root.
• Entrypoint behavior and functionality remain the same.
• Existing workloads should continue to work without modification.

The only scenario where you may notice a difference is if your workload depends on a specific UID/GID (for example, strict file ownership on mounted volumes) or if there are hard dependencies on entrypoint path. In those cases, file permission settings may need to be reviewed.

Need help or have questions?

We're here to help - visit our support portal at support.chainguard.dev.

- Chainguard Team