-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add non-root user support #4397
Merged
Merged
Changes from 38 commits
Commits
Show all changes
39 commits
Select commit
Hold shift + click to select a range
737fd53
Add 8.0 images with new non-root user
lbussell e71bc0b
Regenerate Dockerfiles
lbussell 02e6241
All new dockerfiles build now
lbussell 26c26ca
Add jammy-chiseled 8.0 runtime-deps files for new aspnet ports
lbussell fc176d8
Move aspnet sample back to net7.0
lbussell aee134e
Update environment variables for 8.0 dockerfiles
lbussell 7773de5
WIP tests
lbussell 670ec48
Try to clear tmp directory when running dotnet help
lbussell 74311e6
Clean up Dockerfiles
lbussell 452945b
Merge remote-tracking branch 'upstream/nightly' into feature/non-root…
lbussell a60cc4f
Remove commented out tests that don't run
lbussell dc8141a
Remove https port variables
lbussell 3fced5d
.NET versions < 8.0 want the --urls argument
lbussell 9130588
Address some review comments
lbussell 0d68933
Clean up ports, run fx dependent test as non-root
lbussell cfff6d4
Fix debian home creation behavior
lbussell 0ae0262
Fix aspnet sample base images
lbussell 991f949
Add equals sign back in group add command
lbussell c0b37b0
I don't know why I swapped these arguments, swap them back
lbussell ebb8aed
Correctly pass through create-home variable to non-root-user template
lbussell b2e63de
Update image size baselines
lbussell bc2dcd8
Update templates to accommodate shadow-utils in Mariner
lbussell 31aea92
Regenerate dockerfiles.
lbussell 8984b4f
Remove redundant dependency list
lbussell afe6f03
Regenerate dockerfiles
lbussell 20ea44f
Fix samples
lbussell 98b3ba7
Fix Mariner home directory and fix formatting
lbussell 26cad58
Remove --create-home from jammy and alpine
lbussell 6d493d9
put additional packages in alphabetical order and clean up some logic
lbussell 1a0fa36
Change aspnet port env var in 8.0+ monitor dockerfiles
lbussell 8d775f5
Make version checks in tests more serviceable
lbussell c5aae01
Clean up version checks in tests
lbussell 40d8c42
Look for new environment variable to be unset in monitor tests
lbussell a880a6a
Add args back
lbussell cc858da
Fix no-clean logic to only clean once in mariner 8.0
lbussell 452e753
7.0 doesn't have non-root support
lbussell c0442d4
Install shadow-utils in line with non-root user in mariner
lbussell daaa7e3
Revert to old install-deps template
lbussell 724e253
Fix indentation in install-deps template
lbussell File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
{{ | ||
_ ARGS: | ||
pkgs: list of packages to remove | ||
pkg-mgr (optional): package manager to use | ||
pkg-mgr-opts (optional): additional options to pass to the package manager | ||
noninteractive (optional): whether to use noninteractive mode | ||
no-clean (optional): skip package manager cleanup after install ^ | ||
|
||
set isAlpine to find(OS_VERSION, "alpine") >= 0 ^ | ||
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^ | ||
set isDnf to ARGS["pkg-mgr"] = "dnf" ^ | ||
set isTdnf to ARGS["pkg-mgr"] = "tdnf" || (!isDnf && isMariner) ^ | ||
set isApk to ARGS["pkg-mgr"] = "apk" || isAlpine | ||
}}{{ | ||
if isDnf:dnf remove -y{{ARGS["pkg-mgr-opts"]}} \^ | ||
elif isApk:apk del{{ARGS["pkg-mgr-opts"]}} \^ | ||
elif isTdnf:tdnf remove -y{{ARGS["pkg-mgr-opts"]}} \^ | ||
else:apt-get remove \ | ||
&&{{if ARGS["noninteractive"]: DEBIAN_FRONTEND=noninteractive}} apt-get remove -y {{ARGS["pkg-mgr-opts"]}} \}}{{ | ||
for index, pkg in ARGS["pkgs"]: | ||
{{pkg}} \}}{{if !no-clean:{{ | ||
if isTdnf: | ||
&& tdnf clean all{{ARGS["pkg-mgr-opts"]}}^ | ||
elif isDnf: | ||
&& dnf autoremove{{ARGS["pkg-mgr-opts"]}} \ | ||
&& dnf clean all{{ARGS["pkg-mgr-opts"]}}^ | ||
elif !isApk: | ||
&& apt-get autoremove \ | ||
&& rm -rf /var/lib/apt/lists/*}}}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
32 changes: 32 additions & 0 deletions
32
eng/dockerfile-templates/runtime-deps/Dockerfile.linux.non-root-user
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{{ | ||
_ Configures a non-root user | ||
_ ARGS: | ||
name: Name of the user/group to create | ||
uid: ID of the user to be created | ||
gid: ID of the group to be created | ||
no-create-home (optional): Indicates whether a home directory should be created for the user ^ | ||
set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^ | ||
set isAlpine to find(OS_VERSION, "alpine") >= 0 ^ | ||
set isDebian to find(OS_ARCH_HYPHENATED, "Debian") >= 0 ^ | ||
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^ | ||
set isDistrolessMariner to defined(match(OS_VERSION, "^cbl-mariner\d+\.\d+-distroless$")) ^ | ||
set utilPkgs to when(isMariner && !isDistrolessMariner && dotnetVersion != "6.0" && dotnetVersion != "7.0", ["shadow-utils"], []) | ||
}}{{if len(utilPkgs) > 0:{{InsertTemplate("../Dockerfile.linux.install-pkgs", [ | ||
"pkgs": utilPkgs, | ||
"no-clean": "true" | ||
])}} | ||
&& }}{{if isAlpine:addgroup^else:groupadd}} \ | ||
--system \ | ||
--gid={{ARGS["gid"]}} \ | ||
{{ARGS["name"]}} \ | ||
&& {{if isDebian:useradd^else:adduser}} \ | ||
--uid {{ARGS["uid"]}} \ | ||
{{if isAlpine:--ingroup={{ARGS["name"]}}^else:--gid {{ARGS["gid"]}}}} \ | ||
--shell /bin/false \{{if ARGS["no-create-home"]: | ||
--no-create-home \^elif dotnetVersion != "6.0" && dotnetVersion != "7.0" && (isMariner || isDebian): | ||
--create-home \}} | ||
--system \ | ||
{{ARGS["name"]}}{{if len(utilPkgs) > 0: \ | ||
&& {{InsertTemplate("../Dockerfile.linux.remove-pkgs", [ | ||
"pkgs": utilPkgs | ||
], " ")}}}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,5 @@ | ||
{{ | ||
_ ARGS | ||
append-cmd: Indicates whether to append the command to an existing command | ||
|
||
}}# Trigger first run experience by running arbitrary cmd | ||
{{if ARGS["append-cmd"]:&&^else:RUN}} dotnet help |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jander-msft - I know you requested this. Can you explain the need for this?
Also, should the monitor Dockerfile be configured to run as non-root by default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
.NET Monitor already runs its HTTP server at ports 52323 and 52325 by default. Either setting ASPNETCORE_HTTP_PORTS would override that behavior (which we don't want by default) or it is not observed (which would be bad to insinuate that it has some effect when it does not); I think the former would be the case if the environment variable is specified. I will very later today that this is the case.
That would be great if that could be added too. Although, if this change is only scoped to .NET 8+, then this work shouldn't be necessary because .NET Monitor is only offering distroless and chiseled images for .NET 8+, which should already be using the non-root user.