Skip to content

Commit

Permalink
Use higher number UID (#4476)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lbussell
lbussell committed Mar 9, 2023
1 parent ed49261 commit 57bc6d1
Show file tree
Hide file tree
Showing 23 changed files with 112 additions and 74 deletions.
2 changes: 1 addition & 1 deletion eng/dockerfile-templates/runtime-deps/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
set rpmFilename to "dotnet-runtime-deps.rpm" ^
set utilPkgs to when(isMariner && dotnetVersion != "6.0" && dotnetVersion != "7.0", ["shadow-utils"], []) ^
set username to "app" ^
set uid to 101 ^
set uid to 64198 ^
set gid to uid
}}{{
if !isSingleStage:# Installer image
Expand Down
2 changes: 1 addition & 1 deletion eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
set osVersionBase to match(OS_VERSION, ".+(?=.*-)")[0] ^
set osVersionNumber to split(OS_ARCH_HYPHENATED, "-")[1] ^
set username to "app" ^
set uid to 101 ^
set uid to 64198 ^
set gid to uid
}}FROM {{ARCH_VERSIONED}}/golang:1.18 as chisel
RUN git clone --depth 1 -b main https://github.com/canonical/chisel /opt/chisel
Expand Down
6 changes: 5 additions & 1 deletion eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,11 @@
set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
set baseImage to cat(marinerRepo, "/distroless/minimal:", OS_VERSION_NUMBER) ^
set username to "app" ^
set uid to when(find(OS_VERSION, "1.0") >= 0, 1000, 101) ^
set uid to when(dotnetVersion = "6.0" || dotnetVersion = "7.0",
when(find(OS_VERSION, "1.0") >= 0,
1000,
101),
64198) ^
set gid to uid ^
set createUserHome to dotnetVersion != "6.0"
}}# Installer image
Expand Down
10 changes: 5 additions & 5 deletions src/runtime-deps/6.0/jammy-chiseled/amd64/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ RUN apt-get update && \

RUN groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--shell /bin/false \
--system \
app \
&& install -d -m 0755 -o 101 -g 101 "/rootfs/home/app" \
&& install -d -m 0755 -o 64198 -g 64198 "/rootfs/home/app" \
&& mkdir -p "/rootfs/etc" \
&& rootOrAppRegex='^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \
Expand All @@ -43,7 +43,7 @@ FROM scratch
COPY --from=builder /rootfs /

# Workaround for https://github.com/moby/moby/issues/38710
COPY --from=builder --chown=101:101 /rootfs/home/app /home/app
COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app

ENV \
# Configure web servers to bind to port 8080 when present
Expand Down
10 changes: 5 additions & 5 deletions src/runtime-deps/6.0/jammy-chiseled/arm32v7/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ RUN apt-get update && \

RUN groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--shell /bin/false \
--system \
app \
&& install -d -m 0755 -o 101 -g 101 "/rootfs/home/app" \
&& install -d -m 0755 -o 64198 -g 64198 "/rootfs/home/app" \
&& mkdir -p "/rootfs/etc" \
&& rootOrAppRegex='^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \
Expand All @@ -43,7 +43,7 @@ FROM scratch
COPY --from=builder /rootfs /

# Workaround for https://github.com/moby/moby/issues/38710
COPY --from=builder --chown=101:101 /rootfs/home/app /home/app
COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app

ENV \
# Configure web servers to bind to port 8080 when present
Expand Down
10 changes: 5 additions & 5 deletions src/runtime-deps/6.0/jammy-chiseled/arm64v8/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ RUN apt-get update && \

RUN groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--shell /bin/false \
--system \
app \
&& install -d -m 0755 -o 101 -g 101 "/rootfs/home/app" \
&& install -d -m 0755 -o 64198 -g 64198 "/rootfs/home/app" \
&& mkdir -p "/rootfs/etc" \
&& rootOrAppRegex='^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \
Expand All @@ -43,7 +43,7 @@ FROM scratch
COPY --from=builder /rootfs /

# Workaround for https://github.com/moby/moby/issues/38710
COPY --from=builder --chown=101:101 /rootfs/home/app /home/app
COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app

ENV \
# Configure web servers to bind to port 8080 when present
Expand Down
4 changes: 2 additions & 2 deletions src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,10 @@ RUN apk add --no-cache \
# Create a non-root user and group
RUN addgroup \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--uid 64198 \
--ingroup=app \
--system \
app
Expand Down
4 changes: 2 additions & 2 deletions src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,10 @@ RUN apk add --no-cache \
# Create a non-root user and group
RUN addgroup \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--uid 64198 \
--ingroup=app \
--system \
app
Expand Down
4 changes: 2 additions & 2 deletions src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,10 @@ RUN apk add --no-cache \
# Create a non-root user and group
RUN addgroup \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--uid 64198 \
--ingroup=app \
--system \
app
Expand Down
6 changes: 3 additions & 3 deletions src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@ RUN apt-get update \
# Create a non-root user and group
RUN groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& useradd \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--create-home \
--system \
app
Expand Down
6 changes: 3 additions & 3 deletions src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@ RUN apt-get update \
# Create a non-root user and group
RUN groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& useradd \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--create-home \
--system \
app
Expand Down
6 changes: 3 additions & 3 deletions src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@ RUN apt-get update \
# Create a non-root user and group
RUN groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& useradd \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--create-home \
--system \
app
Expand Down
10 changes: 5 additions & 5 deletions src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,16 +32,16 @@ RUN tmpManifestPath="/tmp/rpmmanifest" \
# Create a non-root user and group
RUN groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--shell /bin/false \
--create-home \
--system \
app \
&& install -d -m 0755 -o 101 -g 101 "/staging/home/app" \
&& install -d -m 0755 -o 64198 -g 64198 "/staging/home/app" \
&& rootOrAppRegex='^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \
&& cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group"
Expand All @@ -62,7 +62,7 @@ FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0
COPY --from=installer /staging/ /

# Workaround for https://github.com/moby/moby/issues/38710
COPY --from=installer --chown=101:101 /staging/home/app /home/app
COPY --from=installer --chown=64198:64198 /staging/home/app /home/app

ENV \
# Configure web servers to bind to port 8080 when present
Expand Down
10 changes: 5 additions & 5 deletions src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,16 +32,16 @@ RUN tmpManifestPath="/tmp/rpmmanifest" \
# Create a non-root user and group
RUN groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--shell /bin/false \
--create-home \
--system \
app \
&& install -d -m 0755 -o 101 -g 101 "/staging/home/app" \
&& install -d -m 0755 -o 64198 -g 64198 "/staging/home/app" \
&& rootOrAppRegex='^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \
&& cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group"
Expand All @@ -62,7 +62,7 @@ FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0
COPY --from=installer /staging/ /

# Workaround for https://github.com/moby/moby/issues/38710
COPY --from=installer --chown=101:101 /staging/home/app /home/app
COPY --from=installer --chown=64198:64198 /staging/home/app /home/app

ENV \
# Configure web servers to bind to port 8080 when present
Expand Down
6 changes: 3 additions & 3 deletions src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,11 @@ RUN tdnf install -y \
shadow-utils \
&& groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--create-home \
--system \
app \
Expand Down
6 changes: 3 additions & 3 deletions src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,11 @@ RUN tdnf install -y \
shadow-utils \
&& groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--create-home \
--system \
app \
Expand Down
10 changes: 5 additions & 5 deletions src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ RUN apt-get update && \

RUN groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--shell /bin/false \
--system \
app \
&& install -d -m 0755 -o 101 -g 101 "/rootfs/home/app" \
&& install -d -m 0755 -o 64198 -g 64198 "/rootfs/home/app" \
&& mkdir -p "/rootfs/etc" \
&& rootOrAppRegex='^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \
Expand All @@ -43,7 +43,7 @@ FROM scratch
COPY --from=builder /rootfs /

# Workaround for https://github.com/moby/moby/issues/38710
COPY --from=builder --chown=101:101 /rootfs/home/app /home/app
COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app

ENV \
# Configure web servers to bind to port 8080 when present
Expand Down
10 changes: 5 additions & 5 deletions src/runtime-deps/8.0/jammy-chiseled/arm32v7/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ RUN apt-get update && \

RUN groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--shell /bin/false \
--system \
app \
&& install -d -m 0755 -o 101 -g 101 "/rootfs/home/app" \
&& install -d -m 0755 -o 64198 -g 64198 "/rootfs/home/app" \
&& mkdir -p "/rootfs/etc" \
&& rootOrAppRegex='^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \
Expand All @@ -43,7 +43,7 @@ FROM scratch
COPY --from=builder /rootfs /

# Workaround for https://github.com/moby/moby/issues/38710
COPY --from=builder --chown=101:101 /rootfs/home/app /home/app
COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app

ENV \
# Configure web servers to bind to port 8080 when present
Expand Down
10 changes: 5 additions & 5 deletions src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ RUN apt-get update && \

RUN groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--shell /bin/false \
--system \
app \
&& install -d -m 0755 -o 101 -g 101 "/rootfs/home/app" \
&& install -d -m 0755 -o 64198 -g 64198 "/rootfs/home/app" \
&& mkdir -p "/rootfs/etc" \
&& rootOrAppRegex='^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \
Expand All @@ -43,7 +43,7 @@ FROM scratch
COPY --from=builder /rootfs /

# Workaround for https://github.com/moby/moby/issues/38710
COPY --from=builder --chown=101:101 /rootfs/home/app /home/app
COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app

ENV \
# Configure web servers to bind to port 8080 when present
Expand Down
6 changes: 3 additions & 3 deletions src/runtime-deps/8.0/jammy/amd64/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@ RUN apt-get update \
# Create a non-root user and group
RUN groupadd \
--system \
--gid=101 \
--gid=64198 \
app \
&& adduser \
--uid 101 \
--gid 101 \
--uid 64198 \
--gid 64198 \
--system \
app

Expand Down
Loading

0 comments on commit 57bc6d1

Please sign in to comment.