From 5c63e8deedc0dbbfbae46005ad000baeb7ce3645 Mon Sep 17 00:00:00 2001 From: Logan Bussell Date: Mon, 27 Mar 2023 14:07:12 -0700 Subject: [PATCH] Add ENV variable for app user ID (#4508) --- .../Dockerfile.common-dotnet-envs | 6 +++++- .../runtime-deps/Dockerfile | 4 +++- .../runtime-deps/Dockerfile.chiseled-ubuntu | 6 ++++-- .../runtime-deps/Dockerfile.distroless-mariner | 4 +++- .../6.0/jammy-chiseled/amd64/Dockerfile | 4 +++- .../6.0/jammy-chiseled/arm32v7/Dockerfile | 4 +++- .../6.0/jammy-chiseled/arm64v8/Dockerfile | 4 +++- .../8.0/alpine3.17/amd64/Dockerfile | 2 ++ .../8.0/alpine3.17/arm32v7/Dockerfile | 2 ++ .../8.0/alpine3.17/arm64v8/Dockerfile | 2 ++ .../8.0/bookworm-slim/amd64/Dockerfile | 2 ++ .../8.0/bookworm-slim/arm32v7/Dockerfile | 2 ++ .../8.0/bookworm-slim/arm64v8/Dockerfile | 2 ++ .../cbl-mariner2.0-distroless/amd64/Dockerfile | 2 ++ .../arm64v8/Dockerfile | 2 ++ .../8.0/cbl-mariner2.0/amd64/Dockerfile | 2 ++ .../8.0/cbl-mariner2.0/arm64v8/Dockerfile | 2 ++ .../8.0/jammy-chiseled/amd64/Dockerfile | 4 +++- .../8.0/jammy-chiseled/arm32v7/Dockerfile | 4 +++- .../8.0/jammy-chiseled/arm64v8/Dockerfile | 4 +++- src/runtime-deps/8.0/jammy/amd64/Dockerfile | 2 ++ src/runtime-deps/8.0/jammy/arm32v7/Dockerfile | 2 ++ src/runtime-deps/8.0/jammy/arm64v8/Dockerfile | 2 ++ .../CommonRuntimeImageTests.cs | 5 +++++ .../Microsoft.DotNet.Docker.Tests/ImageData.cs | 1 + .../ProductImageData.cs | 17 +++++++++++++++++ .../ProductImageTests.cs | 9 ++++++++- 27 files changed, 90 insertions(+), 12 deletions(-) diff --git a/eng/dockerfile-templates/Dockerfile.common-dotnet-envs b/eng/dockerfile-templates/Dockerfile.common-dotnet-envs index 3771ea2d30..d522b79999 100644 --- a/eng/dockerfile-templates/Dockerfile.common-dotnet-envs +++ b/eng/dockerfile-templates/Dockerfile.common-dotnet-envs @@ -1,4 +1,6 @@ {{ + _ ARGS: + uid (optional): ID of the non-root user ^ set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^ set isAlpine to find(OS_VERSION, "alpine") >= 0 ^ set isWindows to find(OS_VERSION, "nanoserver") >= 0 || find(OS_VERSION, "windowsservercore") >= 0 ^ @@ -6,7 +8,9 @@ set isDistroless to find(OS_VERSION, "distroless") >= 0 || find(OS_VERSION, "chiseled") >= 0 ^ set lineContinuation to when(isWindows, "`", "\") ^ set port to when(isDistroless || (dotnetVersion != "6.0" && dotnetVersion != "7.0"), "8080", "80") -}}ENV {{lineContinuation}} +}}ENV {{lineContinuation}}{{if (!isWindows && dotnetVersion != "6.0" && dotnetVersion != "7.0") || (isDistroless && !isMariner): + # UID of the non-root user 'app' + APP_UID={{ARGS["uid"]}} {{lineContinuation}}}} # Configure web servers to bind to port {{port}} when present {{if dotnetVersion = "6.0" || dotnetVersion = "7.0":ASPNETCORE_URLS=http://+:{{port}}^else:ASPNETCORE_HTTP_PORTS={{port}}}} {{lineContinuation}} {{InsertTemplate("Dockerfile.env.container")}}{{if isAlpine || (isDistroless && !(isMariner && find(OS_VERSION, "1.0") > 0)): {{lineContinuation}} diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile b/eng/dockerfile-templates/runtime-deps/Dockerfile index 12d47bff6b..cf257e344f 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile @@ -66,4 +66,6 @@ RUN {{InsertTemplate("Dockerfile.linux.non-root-user", "append-cmd": len(utilPkgs) > 0 ])}} }} -{{InsertTemplate("../Dockerfile.common-dotnet-envs")}} +{{InsertTemplate("../Dockerfile.common-dotnet-envs", [ + "uid": uid +])}} diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu b/eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu index 47f84562d1..d5c9eeae21 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu @@ -45,6 +45,8 @@ COPY --from=builder /rootfs / # Workaround for https://github.com/moby/moby/issues/38710 COPY --from=builder --chown={{uid}}:{{gid}} /rootfs/home/{{username}} /home/{{username}} -{{InsertTemplate("../Dockerfile.common-dotnet-envs")}} +{{InsertTemplate("../Dockerfile.common-dotnet-envs", [ + "uid": uid +])}} -USER app +USER $APP_UID diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner b/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner index e823cecec9..b00d1bd195 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner @@ -65,6 +65,8 @@ COPY --from=installer {{distrolessStagingDir}}/ /{{if createUserHome: # Workaround for https://github.com/moby/moby/issues/38710 COPY --from=installer --chown={{uid}}:{{gid}} {{distrolessStagingDir}}/home/{{username}} /home/{{username}}}} -{{InsertTemplate("../Dockerfile.common-dotnet-envs")}} +{{InsertTemplate("../Dockerfile.common-dotnet-envs", [ + "uid": uid +])}} USER app diff --git a/src/runtime-deps/6.0/jammy-chiseled/amd64/Dockerfile b/src/runtime-deps/6.0/jammy-chiseled/amd64/Dockerfile index d64f807c27..f6a67abdff 100644 --- a/src/runtime-deps/6.0/jammy-chiseled/amd64/Dockerfile +++ b/src/runtime-deps/6.0/jammy-chiseled/amd64/Dockerfile @@ -46,6 +46,8 @@ COPY --from=builder /rootfs / COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_URLS=http://+:8080 \ # Enable detection of running in a container @@ -53,4 +55,4 @@ ENV \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true -USER app +USER $APP_UID diff --git a/src/runtime-deps/6.0/jammy-chiseled/arm32v7/Dockerfile b/src/runtime-deps/6.0/jammy-chiseled/arm32v7/Dockerfile index 102232fa81..1720fd7047 100644 --- a/src/runtime-deps/6.0/jammy-chiseled/arm32v7/Dockerfile +++ b/src/runtime-deps/6.0/jammy-chiseled/arm32v7/Dockerfile @@ -46,6 +46,8 @@ COPY --from=builder /rootfs / COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_URLS=http://+:8080 \ # Enable detection of running in a container @@ -53,4 +55,4 @@ ENV \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true -USER app +USER $APP_UID diff --git a/src/runtime-deps/6.0/jammy-chiseled/arm64v8/Dockerfile b/src/runtime-deps/6.0/jammy-chiseled/arm64v8/Dockerfile index 371a578498..f619041173 100644 --- a/src/runtime-deps/6.0/jammy-chiseled/arm64v8/Dockerfile +++ b/src/runtime-deps/6.0/jammy-chiseled/arm64v8/Dockerfile @@ -46,6 +46,8 @@ COPY --from=builder /rootfs / COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_URLS=http://+:8080 \ # Enable detection of running in a container @@ -53,4 +55,4 @@ ENV \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true -USER app +USER $APP_UID diff --git a/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile b/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile index a90ccf2ca2..9b77a6a2b9 100644 --- a/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile +++ b/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile @@ -23,6 +23,8 @@ RUN addgroup \ app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile b/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile index bf8905c296..0112744d52 100644 --- a/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile +++ b/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile @@ -23,6 +23,8 @@ RUN addgroup \ app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile b/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile index 26d3f94bb3..7be7240759 100644 --- a/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile @@ -23,6 +23,8 @@ RUN addgroup \ app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile b/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile index bb1f8b05dd..df0739c1f1 100644 --- a/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile +++ b/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile @@ -27,6 +27,8 @@ RUN groupadd \ app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile b/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile index 6d650dd4e7..3ecf1d7bb2 100644 --- a/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile +++ b/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile @@ -27,6 +27,8 @@ RUN groupadd \ app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile b/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile index c8ff65860b..b58bc9e884 100644 --- a/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile @@ -27,6 +27,8 @@ RUN groupadd \ app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile index e21a1c9c7b..1e2869b571 100644 --- a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile +++ b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile @@ -65,6 +65,8 @@ COPY --from=installer /staging/ / COPY --from=installer --chown=64198:64198 /staging/home/app /home/app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile index e21a1c9c7b..1e2869b571 100644 --- a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile @@ -65,6 +65,8 @@ COPY --from=installer /staging/ / COPY --from=installer --chown=64198:64198 /staging/home/app /home/app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile index c53e02ee9f..0051745928 100644 --- a/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile +++ b/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile @@ -31,6 +31,8 @@ RUN tdnf install -y \ && tdnf clean all ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile index c53e02ee9f..0051745928 100644 --- a/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile @@ -31,6 +31,8 @@ RUN tdnf install -y \ && tdnf clean all ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile b/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile index f644b5b5b4..42523979dd 100644 --- a/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile +++ b/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile @@ -46,6 +46,8 @@ COPY --from=builder /rootfs / COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container @@ -53,4 +55,4 @@ ENV \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true -USER app +USER $APP_UID diff --git a/src/runtime-deps/8.0/jammy-chiseled/arm32v7/Dockerfile b/src/runtime-deps/8.0/jammy-chiseled/arm32v7/Dockerfile index 24a8ca059c..cf76010e78 100644 --- a/src/runtime-deps/8.0/jammy-chiseled/arm32v7/Dockerfile +++ b/src/runtime-deps/8.0/jammy-chiseled/arm32v7/Dockerfile @@ -46,6 +46,8 @@ COPY --from=builder /rootfs / COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container @@ -53,4 +55,4 @@ ENV \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true -USER app +USER $APP_UID diff --git a/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile b/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile index f4fcde3d09..e27d3e5144 100644 --- a/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile @@ -46,6 +46,8 @@ COPY --from=builder /rootfs / COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container @@ -53,4 +55,4 @@ ENV \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true -USER app +USER $APP_UID diff --git a/src/runtime-deps/8.0/jammy/amd64/Dockerfile b/src/runtime-deps/8.0/jammy/amd64/Dockerfile index 83901d7255..d10a76faf3 100644 --- a/src/runtime-deps/8.0/jammy/amd64/Dockerfile +++ b/src/runtime-deps/8.0/jammy/amd64/Dockerfile @@ -26,6 +26,8 @@ RUN groupadd \ app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile b/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile index 83901d7255..d10a76faf3 100644 --- a/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile +++ b/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile @@ -26,6 +26,8 @@ RUN groupadd \ app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile b/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile index 83901d7255..d10a76faf3 100644 --- a/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile @@ -26,6 +26,8 @@ RUN groupadd \ app ENV \ + # UID of the non-root user 'app' + APP_UID=64198 \ # Configure web servers to bind to port 8080 when present ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container diff --git a/tests/Microsoft.DotNet.Docker.Tests/CommonRuntimeImageTests.cs b/tests/Microsoft.DotNet.Docker.Tests/CommonRuntimeImageTests.cs index c7d43b8b98..531c23a4ab 100644 --- a/tests/Microsoft.DotNet.Docker.Tests/CommonRuntimeImageTests.cs +++ b/tests/Microsoft.DotNet.Docker.Tests/CommonRuntimeImageTests.cs @@ -29,6 +29,11 @@ protected void VerifyCommonEnvironmentVariables( List variables = new List(); variables.AddRange(GetCommonEnvironmentVariables()); + if (!imageData.IsWindows && imageData.Version.Major != 6 && imageData.Version.Major != 7) + { + variables.Add(new EnvironmentVariableInfo("APP_UID", imageData.NonRootUID?.ToString())); + } + if (imageData.VersionFamily.Major <= 7) { variables.Add(new EnvironmentVariableInfo("ASPNETCORE_URLS", $"http://+:{imageData.DefaultPort}")); diff --git a/tests/Microsoft.DotNet.Docker.Tests/ImageData.cs b/tests/Microsoft.DotNet.Docker.Tests/ImageData.cs index d8c936ae6f..ca898752af 100644 --- a/tests/Microsoft.DotNet.Docker.Tests/ImageData.cs +++ b/tests/Microsoft.DotNet.Docker.Tests/ImageData.cs @@ -23,6 +23,7 @@ public abstract class ImageData public string OS { get; set; } public bool IsDistroless => OS.Contains("distroless") || OS.Contains("chiseled"); public virtual int DefaultPort => IsDistroless ? 8080 : 80; + public virtual int? NonRootUID => IsWindows ? null : 64198; private static readonly Lazy s_imageInfoData; diff --git a/tests/Microsoft.DotNet.Docker.Tests/ProductImageData.cs b/tests/Microsoft.DotNet.Docker.Tests/ProductImageData.cs index 12fade46cb..3cf482fc4c 100644 --- a/tests/Microsoft.DotNet.Docker.Tests/ProductImageData.cs +++ b/tests/Microsoft.DotNet.Docker.Tests/ProductImageData.cs @@ -55,6 +55,23 @@ public ImageVersion VersionFamily public override int DefaultPort => (IsDistroless | Version.Major >= 8) ? 8080 : 80; + public override int? NonRootUID { + get { + if (OS == Tests.OS.Mariner10Distroless) + { + return 1000; + } + else if (OS == Tests.OS.Mariner20Distroless && (Version.Major == 6 || Version.Major == 7)) + { + return 101; + } + else + { + return base.NonRootUID; + } + } + } + public string GetDockerfilePath(DotNetImageType imageType) => $"src/{GetVariantName(imageType)}/{Version}/{OSTag}/{GetArchLabel()}"; diff --git a/tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs b/tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs index a306b24a03..fcc30e3a06 100644 --- a/tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs +++ b/tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs @@ -103,7 +103,14 @@ protected void VerifyCommonDefaultUser(ProductImageData imageData) string expectedUser; if (imageData.IsDistroless && ImageType != DotNetImageType.SDK) { - expectedUser = "app"; + if (imageData.OS.Contains("cbl-mariner")) + { + expectedUser = "app"; + } + else + { + expectedUser = imageData.NonRootUID.ToString(); + } } // For Windows, only Nano Server defines a user, which seems wrong. // I've logged https://dev.azure.com/microsoft/OS/_workitems/edit/40146885 for this.