User defined in base container image overriden for root

Question

User defined in base container image overriden for root

ggirard07 opened this issue 8 months ago · comments

I have a dotnet 6 project published from a base image configured to create and use a non-root user (while waiting for dotnet 8).
It looks like the layer created by the sdk publish command also reset the USER back to root instead of whatever is defined in base image.
My understanding from current doc is that it should not do so (as my project targets dotnet 6).

Chet Husk · Answer 1 · Thu Sep 07 2023 09:33:52 GMT+0800 (China Standard Time)

Hi @ggirard07 - do you have a sample https://aka.ms/binlog that I could take a look at to see what's going on? Or a sample repro I could build myself?

ggirard07 · Answer 2 · Thu Sep 07 2023 22:20:59 GMT+0800 (China Standard Time)

@baronfel sample repo is available at https://github.com/ggirard07/dotnet_sdk-container-builds_496

Chet Husk · Answer 3 · Fri Sep 08 2023 00:11:54 GMT+0800 (China Standard Time)

Thanks, I'll take a look now!

Chet Husk · Answer 4 · Fri Sep 08 2023 00:16:14 GMT+0800 (China Standard Time)

Ok, good news! I think in 8.0.100 RC1 this is fixed. I'm running an RC1 nightly and when I run your instructions from that repo I get non-root user ids (note that the tag used is latest in RC1, not 1.0.0):

>dotnet publish .\ImageKeepRoot\ImageKeepRoot.csproj --configuration Release --os linux --arch x64 --property:PublishProfile=DefaultContainer -bl
MSBuild version 17.7.0+5785ed5c2 for .NET
  Determining projects to restore...
  Restored D:\Code\Scratch\dotnet_sdk-container-builds_496\ImageKeepRoot\ImageKeepRoot.csproj (in 3.57 sec).
C:\Program Files\dotnet\sdk\8.0.100-rc.1.23417.5\Sdks\Microsoft.NET.Sdk\targets\Microsoft.NET.RuntimeIdentifierInferenc
e.targets(311,5): message NETSDK1057: You are using a preview version of .NET. See: https://aka.ms/dotnet-support-polic
y [D:\Code\Scratch\dotnet_sdk-container-builds_496\ImageKeepRoot\ImageKeepRoot.csproj]
  ImageKeepRoot -> D:\Code\Scratch\dotnet_sdk-container-builds_496\ImageKeepRoot\bin\Release\net6.0\linux-x64\ImageKeep
  Root.dll
  ImageKeepRoot -> D:\Code\Scratch\dotnet_sdk-container-builds_496\ImageKeepRoot\bin\Release\net6.0\linux-x64\publish\
  Building image 'imageshouldnotberoot-latest' with tags latest on top of base image localhost:5000/mybaseimage:latest
  Pushed image 'imageshouldnotberoot-latest:latest' to local registry
> docker run --rm -it --entrypoint /bin/bash imageshouldnotberoot-latest:latest
app@ab41fbb7d034:/app$ id
uid=1654(app) gid=1654(app) groups=1654(app)

Tom Deseyn · Answer 5 · Sat Sep 09 2023 01:17:03 GMT+0800 (China Standard Time)

This was fixed by dotnet/sdk#32594.

Chet Husk · Answer 6 · Fri Oct 13 2023 23:54:02 GMT+0800 (China Standard Time)

Closing as we fixed this for RC2.