Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default .NET 8 container images to use the app user #373

Closed
baronfel opened this issue Mar 1, 2023 · 6 comments · Fixed by #393
Closed

Default .NET 8 container images to use the app user #373

baronfel opened this issue Mar 1, 2023 · 6 comments · Fixed by #393
Labels
Area: Inference Changes to base image inference
Milestone
8.0.100

Comments

@baronfel
Copy link
Member

baronfel commented Mar 1, 2023
edited
Loading

Requires #115 and #198.

For .NET 8 Containers Microsoft provides a non-root user named app. We should default folks into running rootless, so we should set ContainerUser according to the following decision tree.

  • the ContainerBaseImage is dotnet/runtime-deps, dotnet/runtime, or dotnet/aspnet and
  • the ContainerImageTags contains any 8.0 tag (including previews and/or rc tags) then
  • if the ContainerRuntimeIdentifier is a Windows RID then use ContainerUser, else if the ContainerRuntimeIdentifier is a Linux RID then use app, otherwise
  • do not set the ContainerUser
@baronfel baronfel added the Area: Inference Changes to base image inference label Mar 1, 2023
@baronfel baronfel modified the milestones: 7.0.300, 8.0.100 Mar 1, 2023
@richlander
Copy link
Member

I'm not sure if sdk-container-builds supports Windows. For Windows, we are not adding app but plan to rely on ContainerUser, which already exists there. We could infer that, or the user would write <ContainerUser>ContainerUser</ContainerUser>. Fun!

@baronfel
Copy link
Member Author

baronfel commented Mar 1, 2023

We do not currently due to but hopefully will thanks to #343, so we should be forward-looking here as well. Updated the OP with the Windows User and scenario.

@baronfel
Copy link
Member Author

Per dotnet/dotnet-docker#4451 (comment), we should bias towards using the user id instead of the user name for our home-grown users (and probably also document that some engines like Kubernetes work better with ids), and so we should use 64198 instead of app in our targets. We should put a comment alongside so that the reason for the value isn't lost.

@richlander
Copy link
Member

I will have more content written on this topic soon.

@baronfel baronfel mentioned this issue Mar 17, 2023
Merged
@richlander
Copy link
Member

FYI: dotnet/dotnet-docker#4508

@baronfel
Copy link
Member Author

Thanks for the heads-up, will extract this to a separate issue.

@baronfel baronfel mentioned this issue Mar 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Inference Changes to base image inference
Projects
None yet
Milestone
8.0.100
Development

Successfully merging a pull request may close this issue.

Default the ContainerUser to rootless users on .NET 8 and above dotnet/sdk-container-builds
2 participants
@baronfel @richlander