diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile b/eng/dockerfile-templates/runtime-deps/Dockerfile index e4eb19cd4c..12d47bff6b 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile @@ -22,7 +22,7 @@ set rpmFilename to "dotnet-runtime-deps.rpm" ^ set utilPkgs to when(isMariner && dotnetVersion != "6.0" && dotnetVersion != "7.0", ["shadow-utils"], []) ^ set username to "app" ^ - set uid to 101 ^ + set uid to 64198 ^ set gid to uid }}{{ if !isSingleStage:# Installer image diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu b/eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu index 7ffa7df42c..47f84562d1 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu @@ -2,7 +2,7 @@ set osVersionBase to match(OS_VERSION, ".+(?=.*-)")[0] ^ set osVersionNumber to split(OS_ARCH_HYPHENATED, "-")[1] ^ set username to "app" ^ - set uid to 101 ^ + set uid to 64198 ^ set gid to uid }}FROM {{ARCH_VERSIONED}}/golang:1.18 as chisel RUN git clone --depth 1 -b main https://github.com/canonical/chisel /opt/chisel diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner b/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner index bc6d28de4b..e823cecec9 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner @@ -4,7 +4,11 @@ set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^ set baseImage to cat(marinerRepo, "/distroless/minimal:", OS_VERSION_NUMBER) ^ set username to "app" ^ - set uid to when(find(OS_VERSION, "1.0") >= 0, 1000, 101) ^ + set uid to when(dotnetVersion = "6.0" || dotnetVersion = "7.0", + when(find(OS_VERSION, "1.0") >= 0, + 1000, + 101), + 64198) ^ set gid to uid ^ set createUserHome to dotnetVersion != "6.0" }}# Installer image diff --git a/src/runtime-deps/6.0/jammy-chiseled/amd64/Dockerfile b/src/runtime-deps/6.0/jammy-chiseled/amd64/Dockerfile index 71f47b8ac1..d64f807c27 100644 --- a/src/runtime-deps/6.0/jammy-chiseled/amd64/Dockerfile +++ b/src/runtime-deps/6.0/jammy-chiseled/amd64/Dockerfile @@ -12,15 +12,15 @@ RUN apt-get update && \ RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --shell /bin/false \ --system \ app \ - && install -d -m 0755 -o 101 -g 101 "/rootfs/home/app" \ + && install -d -m 0755 -o 64198 -g 64198 "/rootfs/home/app" \ && mkdir -p "/rootfs/etc" \ && rootOrAppRegex='^\(root\|app\):' \ && cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \ @@ -43,7 +43,7 @@ FROM scratch COPY --from=builder /rootfs / # Workaround for https://github.com/moby/moby/issues/38710 -COPY --from=builder --chown=101:101 /rootfs/home/app /home/app +COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app ENV \ # Configure web servers to bind to port 8080 when present diff --git a/src/runtime-deps/6.0/jammy-chiseled/arm32v7/Dockerfile b/src/runtime-deps/6.0/jammy-chiseled/arm32v7/Dockerfile index f8ab85db54..102232fa81 100644 --- a/src/runtime-deps/6.0/jammy-chiseled/arm32v7/Dockerfile +++ b/src/runtime-deps/6.0/jammy-chiseled/arm32v7/Dockerfile @@ -12,15 +12,15 @@ RUN apt-get update && \ RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --shell /bin/false \ --system \ app \ - && install -d -m 0755 -o 101 -g 101 "/rootfs/home/app" \ + && install -d -m 0755 -o 64198 -g 64198 "/rootfs/home/app" \ && mkdir -p "/rootfs/etc" \ && rootOrAppRegex='^\(root\|app\):' \ && cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \ @@ -43,7 +43,7 @@ FROM scratch COPY --from=builder /rootfs / # Workaround for https://github.com/moby/moby/issues/38710 -COPY --from=builder --chown=101:101 /rootfs/home/app /home/app +COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app ENV \ # Configure web servers to bind to port 8080 when present diff --git a/src/runtime-deps/6.0/jammy-chiseled/arm64v8/Dockerfile b/src/runtime-deps/6.0/jammy-chiseled/arm64v8/Dockerfile index beb4630ee9..371a578498 100644 --- a/src/runtime-deps/6.0/jammy-chiseled/arm64v8/Dockerfile +++ b/src/runtime-deps/6.0/jammy-chiseled/arm64v8/Dockerfile @@ -12,15 +12,15 @@ RUN apt-get update && \ RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --shell /bin/false \ --system \ app \ - && install -d -m 0755 -o 101 -g 101 "/rootfs/home/app" \ + && install -d -m 0755 -o 64198 -g 64198 "/rootfs/home/app" \ && mkdir -p "/rootfs/etc" \ && rootOrAppRegex='^\(root\|app\):' \ && cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \ @@ -43,7 +43,7 @@ FROM scratch COPY --from=builder /rootfs / # Workaround for https://github.com/moby/moby/issues/38710 -COPY --from=builder --chown=101:101 /rootfs/home/app /home/app +COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app ENV \ # Configure web servers to bind to port 8080 when present diff --git a/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile b/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile index b5a237f06b..a90ccf2ca2 100644 --- a/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile +++ b/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile @@ -14,10 +14,10 @@ RUN apk add --no-cache \ # Create a non-root user and group RUN addgroup \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ + --uid 64198 \ --ingroup=app \ --system \ app diff --git a/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile b/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile index 07ebe9f863..bf8905c296 100644 --- a/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile +++ b/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile @@ -14,10 +14,10 @@ RUN apk add --no-cache \ # Create a non-root user and group RUN addgroup \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ + --uid 64198 \ --ingroup=app \ --system \ app diff --git a/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile b/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile index 6291b94c2a..26d3f94bb3 100644 --- a/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile @@ -14,10 +14,10 @@ RUN apk add --no-cache \ # Create a non-root user and group RUN addgroup \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ + --uid 64198 \ --ingroup=app \ --system \ app diff --git a/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile b/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile index 037d64a728..bb1f8b05dd 100644 --- a/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile +++ b/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile @@ -17,11 +17,11 @@ RUN apt-get update \ # Create a non-root user and group RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && useradd \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --create-home \ --system \ app diff --git a/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile b/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile index 0091ac3090..6d650dd4e7 100644 --- a/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile +++ b/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile @@ -17,11 +17,11 @@ RUN apt-get update \ # Create a non-root user and group RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && useradd \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --create-home \ --system \ app diff --git a/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile b/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile index 9ab420b447..c8ff65860b 100644 --- a/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile @@ -17,11 +17,11 @@ RUN apt-get update \ # Create a non-root user and group RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && useradd \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --create-home \ --system \ app diff --git a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile index b8247c5e58..e21a1c9c7b 100644 --- a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile +++ b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile @@ -32,16 +32,16 @@ RUN tmpManifestPath="/tmp/rpmmanifest" \ # Create a non-root user and group RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --shell /bin/false \ --create-home \ --system \ app \ - && install -d -m 0755 -o 101 -g 101 "/staging/home/app" \ + && install -d -m 0755 -o 64198 -g 64198 "/staging/home/app" \ && rootOrAppRegex='^\(root\|app\):' \ && cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \ && cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group" @@ -62,7 +62,7 @@ FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 COPY --from=installer /staging/ / # Workaround for https://github.com/moby/moby/issues/38710 -COPY --from=installer --chown=101:101 /staging/home/app /home/app +COPY --from=installer --chown=64198:64198 /staging/home/app /home/app ENV \ # Configure web servers to bind to port 8080 when present diff --git a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile index b8247c5e58..e21a1c9c7b 100644 --- a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile @@ -32,16 +32,16 @@ RUN tmpManifestPath="/tmp/rpmmanifest" \ # Create a non-root user and group RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --shell /bin/false \ --create-home \ --system \ app \ - && install -d -m 0755 -o 101 -g 101 "/staging/home/app" \ + && install -d -m 0755 -o 64198 -g 64198 "/staging/home/app" \ && rootOrAppRegex='^\(root\|app\):' \ && cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \ && cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group" @@ -62,7 +62,7 @@ FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 COPY --from=installer /staging/ / # Workaround for https://github.com/moby/moby/issues/38710 -COPY --from=installer --chown=101:101 /staging/home/app /home/app +COPY --from=installer --chown=64198:64198 /staging/home/app /home/app ENV \ # Configure web servers to bind to port 8080 when present diff --git a/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile index cb74918590..c53e02ee9f 100644 --- a/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile +++ b/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile @@ -18,11 +18,11 @@ RUN tdnf install -y \ shadow-utils \ && groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --create-home \ --system \ app \ diff --git a/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile index cb74918590..c53e02ee9f 100644 --- a/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile @@ -18,11 +18,11 @@ RUN tdnf install -y \ shadow-utils \ && groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --create-home \ --system \ app \ diff --git a/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile b/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile index 6789f02bf3..f644b5b5b4 100644 --- a/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile +++ b/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile @@ -12,15 +12,15 @@ RUN apt-get update && \ RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --shell /bin/false \ --system \ app \ - && install -d -m 0755 -o 101 -g 101 "/rootfs/home/app" \ + && install -d -m 0755 -o 64198 -g 64198 "/rootfs/home/app" \ && mkdir -p "/rootfs/etc" \ && rootOrAppRegex='^\(root\|app\):' \ && cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \ @@ -43,7 +43,7 @@ FROM scratch COPY --from=builder /rootfs / # Workaround for https://github.com/moby/moby/issues/38710 -COPY --from=builder --chown=101:101 /rootfs/home/app /home/app +COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app ENV \ # Configure web servers to bind to port 8080 when present diff --git a/src/runtime-deps/8.0/jammy-chiseled/arm32v7/Dockerfile b/src/runtime-deps/8.0/jammy-chiseled/arm32v7/Dockerfile index acb008e7fd..24a8ca059c 100644 --- a/src/runtime-deps/8.0/jammy-chiseled/arm32v7/Dockerfile +++ b/src/runtime-deps/8.0/jammy-chiseled/arm32v7/Dockerfile @@ -12,15 +12,15 @@ RUN apt-get update && \ RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --shell /bin/false \ --system \ app \ - && install -d -m 0755 -o 101 -g 101 "/rootfs/home/app" \ + && install -d -m 0755 -o 64198 -g 64198 "/rootfs/home/app" \ && mkdir -p "/rootfs/etc" \ && rootOrAppRegex='^\(root\|app\):' \ && cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \ @@ -43,7 +43,7 @@ FROM scratch COPY --from=builder /rootfs / # Workaround for https://github.com/moby/moby/issues/38710 -COPY --from=builder --chown=101:101 /rootfs/home/app /home/app +COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app ENV \ # Configure web servers to bind to port 8080 when present diff --git a/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile b/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile index 0a6bc05d1c..f4fcde3d09 100644 --- a/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile @@ -12,15 +12,15 @@ RUN apt-get update && \ RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --shell /bin/false \ --system \ app \ - && install -d -m 0755 -o 101 -g 101 "/rootfs/home/app" \ + && install -d -m 0755 -o 64198 -g 64198 "/rootfs/home/app" \ && mkdir -p "/rootfs/etc" \ && rootOrAppRegex='^\(root\|app\):' \ && cat /etc/passwd | grep $rootOrAppRegex > "/rootfs/etc/passwd" \ @@ -43,7 +43,7 @@ FROM scratch COPY --from=builder /rootfs / # Workaround for https://github.com/moby/moby/issues/38710 -COPY --from=builder --chown=101:101 /rootfs/home/app /home/app +COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app ENV \ # Configure web servers to bind to port 8080 when present diff --git a/src/runtime-deps/8.0/jammy/amd64/Dockerfile b/src/runtime-deps/8.0/jammy/amd64/Dockerfile index 28012bf426..83901d7255 100644 --- a/src/runtime-deps/8.0/jammy/amd64/Dockerfile +++ b/src/runtime-deps/8.0/jammy/amd64/Dockerfile @@ -17,11 +17,11 @@ RUN apt-get update \ # Create a non-root user and group RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --system \ app diff --git a/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile b/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile index 28012bf426..83901d7255 100644 --- a/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile +++ b/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile @@ -17,11 +17,11 @@ RUN apt-get update \ # Create a non-root user and group RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --system \ app diff --git a/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile b/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile index 28012bf426..83901d7255 100644 --- a/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile @@ -17,11 +17,11 @@ RUN apt-get update \ # Create a non-root user and group RUN groupadd \ --system \ - --gid=101 \ + --gid=64198 \ app \ && adduser \ - --uid 101 \ - --gid 101 \ + --uid 64198 \ + --gid 64198 \ --system \ app diff --git a/tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs b/tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs index b557488899..a306b24a03 100644 --- a/tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs +++ b/tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs @@ -18,7 +18,7 @@ protected ProductImageTests(ITestOutputHelper outputHelper) DockerHelper = new DockerHelper(outputHelper); OutputHelper = outputHelper; } - + protected DockerHelper DockerHelper { get; } protected ITestOutputHelper OutputHelper { get; } protected abstract DotNetImageType ImageType { get; } @@ -117,6 +117,40 @@ protected void VerifyCommonDefaultUser(ProductImageData imageData) } Assert.Equal(expectedUser, actualUser); + + VerifyNonRootUID(imageData); + } + + protected void VerifyNonRootUID(ProductImageData imageData) + { + if (((imageData.Version.Major == 6 || imageData.Version.Major == 7) && (!imageData.IsDistroless || imageData.OS.StartsWith(OS.Mariner))) + || imageData.IsWindows) + { + OutputHelper.WriteLine("UID check is only relevant for Linux images running .NET versions >= 8.0 and distroless images besides CBL Mariner."); + return; + } + + string imageTag = imageData.GetImage(ImageType, DockerHelper); + string rootPath = "/"; + + if (imageData.IsDistroless) + { + rootPath = "/rootfs/"; + imageTag = DockerHelper.BuildDistrolessHelper(ImageType, imageData, rootPath); + } + + string command = $"-c \"grep '^app' {rootPath}etc/passwd | cut -d: -f3\""; + + string uidString = DockerHelper.Run( + image: imageTag, + command: command, + name: imageData.GetIdentifier($"VerifyUID-{ImageType}"), + optionalRunArgs: $"--entrypoint /bin/sh" + ); + + int uid = int.Parse(uidString); + + Assert.True(uid > 10000); } private IEnumerable GetInstalledRpmPackages(ProductImageData imageData)