From 2e5b7dcfb30f1aed4c60f15f4989c4a4af578632 Mon Sep 17 00:00:00 2001 From: Logan Bussell Date: Tue, 21 Mar 2023 18:53:25 -0700 Subject: [PATCH] Don't change USER instruction in CBL Mariner distroless --- .../runtime-deps/Dockerfile.distroless-mariner | 2 +- .../6.0/cbl-mariner1.0-distroless/amd64/Dockerfile | 2 +- .../6.0/cbl-mariner2.0-distroless/amd64/Dockerfile | 2 +- .../6.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile | 2 +- .../7.0/cbl-mariner2.0-distroless/amd64/Dockerfile | 2 +- .../7.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile | 2 +- .../8.0/cbl-mariner2.0-distroless/amd64/Dockerfile | 2 +- .../8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile | 2 +- tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs | 9 ++++++++- 9 files changed, 16 insertions(+), 9 deletions(-) diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner b/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner index ab138e56e3..b00d1bd195 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner @@ -69,4 +69,4 @@ COPY --from=installer --chown={{uid}}:{{gid}} {{distrolessStagingDir}}/home/{{us "uid": uid ])}} -USER $APP_UID +USER app diff --git a/src/runtime-deps/6.0/cbl-mariner1.0-distroless/amd64/Dockerfile b/src/runtime-deps/6.0/cbl-mariner1.0-distroless/amd64/Dockerfile index d586f00501..208e6d216e 100644 --- a/src/runtime-deps/6.0/cbl-mariner1.0-distroless/amd64/Dockerfile +++ b/src/runtime-deps/6.0/cbl-mariner1.0-distroless/amd64/Dockerfile @@ -57,4 +57,4 @@ ENV \ # Enable detection of running in a container DOTNET_RUNNING_IN_CONTAINER=true -USER $APP_UID +USER app diff --git a/src/runtime-deps/6.0/cbl-mariner2.0-distroless/amd64/Dockerfile b/src/runtime-deps/6.0/cbl-mariner2.0-distroless/amd64/Dockerfile index d2888316cf..8cd457ff8e 100644 --- a/src/runtime-deps/6.0/cbl-mariner2.0-distroless/amd64/Dockerfile +++ b/src/runtime-deps/6.0/cbl-mariner2.0-distroless/amd64/Dockerfile @@ -68,4 +68,4 @@ ENV \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true -USER $APP_UID +USER app diff --git a/src/runtime-deps/6.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile b/src/runtime-deps/6.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile index d2888316cf..8cd457ff8e 100644 --- a/src/runtime-deps/6.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile +++ b/src/runtime-deps/6.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile @@ -68,4 +68,4 @@ ENV \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true -USER $APP_UID +USER app diff --git a/src/runtime-deps/7.0/cbl-mariner2.0-distroless/amd64/Dockerfile b/src/runtime-deps/7.0/cbl-mariner2.0-distroless/amd64/Dockerfile index 5d5f409476..25bd212a02 100644 --- a/src/runtime-deps/7.0/cbl-mariner2.0-distroless/amd64/Dockerfile +++ b/src/runtime-deps/7.0/cbl-mariner2.0-distroless/amd64/Dockerfile @@ -71,4 +71,4 @@ ENV \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true -USER $APP_UID +USER app diff --git a/src/runtime-deps/7.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile b/src/runtime-deps/7.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile index 5d5f409476..25bd212a02 100644 --- a/src/runtime-deps/7.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile +++ b/src/runtime-deps/7.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile @@ -71,4 +71,4 @@ ENV \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true -USER $APP_UID +USER app diff --git a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile index 9c2db2e19b..1e2869b571 100644 --- a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile +++ b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile @@ -74,4 +74,4 @@ ENV \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true -USER $APP_UID +USER app diff --git a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile index 9c2db2e19b..1e2869b571 100644 --- a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile @@ -74,4 +74,4 @@ ENV \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true -USER $APP_UID +USER app diff --git a/tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs b/tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs index a306b24a03..fcc30e3a06 100644 --- a/tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs +++ b/tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs @@ -103,7 +103,14 @@ protected void VerifyCommonDefaultUser(ProductImageData imageData) string expectedUser; if (imageData.IsDistroless && ImageType != DotNetImageType.SDK) { - expectedUser = "app"; + if (imageData.OS.Contains("cbl-mariner")) + { + expectedUser = "app"; + } + else + { + expectedUser = imageData.NonRootUID.ToString(); + } } // For Windows, only Nano Server defines a user, which seems wrong. // I've logged https://dev.azure.com/microsoft/OS/_workitems/edit/40146885 for this.