Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heroku-24: Use the same user for the run and build images #281

Merged
merged 1 commit into from
Mar 27, 2024

Conversation

edmorley
Copy link
Member

@edmorley edmorley commented Mar 27, 2024

The upstream CNB spec recently changed to say that build and run images SHOULD use a separate Linux user for each image:
https://github.com/buildpacks/rfcs/blob/main/text/0085-run-uid.md
https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image

As such, when adding Heroku-24 we decided to use separate users:
#245 (comment)

However, we found this is likely to cause a number of compatibility issues with existing apps and parts of the ecosystem (see #268).

Whilst we can (and will) adjust our own buildpacks to do the right thing (not write to /layers/ or the app source directory at runtime), it's going to be some time before existing apps/frameworks/... make similar changes. In addition, the failure modes are not easy for users to debug or solve (they will have to know that seeing access denied errors means needing to use chmod to make directories group writeable in an inline buildpack step or similar).

As such, we're deferring making this switch for now, and will revisit in the future (either for Heroku-26, or as an opt-in feature for Heroku-24), when the various third party language ecosystems are more ready for this.

We will still be in compliance with the spec, since it says SHOULD not MUST.

We will also add integration testing to our own CNBs to ensure that they operate correctly in environments that do run split build/run users.

As part of this change, I've also switched the heroku user's ID from 1001 back to 1000, for consistency with the Heroku-20/22 CNB base images.

I've also switched back to the USER <name> syntax instead of USER <id>, since both are permitted by the OCI and CNB specs, and the former is (a) IMO more intuitive (eg for users needing to switch to root and back in their own Dockerfile), (b) matches what Heroku-20/22 do.

See also:
https://manpages.ubuntu.com/manpages/noble/en/man8/userdel.8.html
https://manpages.ubuntu.com/manpages/noble/en/man8/groupadd.8.html

Closes #268.
GUS-W-15342842.

@edmorley edmorley self-assigned this Mar 27, 2024
The upstream CNB spec recently changed to say that build and run
images `SHOULD` use a separate Linux user for each image:
https://github.com/buildpacks/rfcs/blob/main/text/0085-run-uid.md
https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image

However, this causes a number of compatibility issues with existing
apps and parts of the ecosystem (see #268).

Whilst we can (and will) adjust our own buildpacks to do the right thing
(not write to `/layers/` or the app source directory at runtime), it's
going to be some time before existing apps/frameworks/... make similar
changes. In addition, the failure modes are not easy for users to debug
or solve (they will have to know that seeing access denied errors means
needing to use `chmod` to make directories group writeable in an inline
buildpack step or similar).

As such, we're deferring making this switch for now, and will revisit in the
future (either for Heroku-26, or as an opt-in feature for Heroku-24), when
the various third party language ecosystems are more ready for this.

We will still be in compliance with the spec, since it says `SHOULD` not
`MUST`.

We will also add integration testing to our own CNBs to ensure that they
operate correctly in environments that do run split build/run users.

As part of this change, I've also switched the `heroku` user's ID back to
1000, for consistency with the Heroku-20/22 CNB base images.

I've also switched back to the `USER <name>` syntax instead of `USER <id>`,
since both are permitted by the OCI and CNB specs, and the former is
(a) IMO more intuitive (eg for users needing to switch to `root` and back
in their own `Dockerfile`), (b) matches what Heroku-20/22 do.

See also:
https://manpages.ubuntu.com/manpages/noble/en/man8/userdel.8.html
https://manpages.ubuntu.com/manpages/noble/en/man8/groupadd.8.html

Closes #268.
GUS-W-15342842.
@edmorley edmorley force-pushed the edmorley/h24-single-user branch from c4b2057 to b851474 Compare March 27, 2024 14:07
@edmorley edmorley marked this pull request as ready for review March 27, 2024 14:12
@edmorley edmorley requested a review from a team as a code owner March 27, 2024 14:12
Copy link
Member

@joshwlewis joshwlewis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for tackling this!

@edmorley edmorley merged commit 76c7ea9 into main Mar 27, 2024
4 checks passed
@edmorley edmorley deleted the edmorley/h24-single-user branch March 27, 2024 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Heroku-24: Implications of the switch to separate Linux users for build vs run images
2 participants