Heroku-24: Use the same user for the run and build images #281
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The upstream CNB spec recently changed to say that build and run images
SHOULD
use a separate Linux user for each image:https://github.com/buildpacks/rfcs/blob/main/text/0085-run-uid.md
https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image
As such, when adding Heroku-24 we decided to use separate users:
#245 (comment)
However, we found this is likely to cause a number of compatibility issues with existing apps and parts of the ecosystem (see #268).
Whilst we can (and will) adjust our own buildpacks to do the right thing (not write to
/layers/
or the app source directory at runtime), it's going to be some time before existing apps/frameworks/... make similar changes. In addition, the failure modes are not easy for users to debug or solve (they will have to know that seeing access denied errors means needing to usechmod
to make directories group writeable in an inline buildpack step or similar).As such, we're deferring making this switch for now, and will revisit in the future (either for Heroku-26, or as an opt-in feature for Heroku-24), when the various third party language ecosystems are more ready for this.
We will still be in compliance with the spec, since it says
SHOULD
notMUST
.We will also add integration testing to our own CNBs to ensure that they operate correctly in environments that do run split build/run users.
As part of this change, I've also switched the
heroku
user's ID from1001
back to1000
, for consistency with the Heroku-20/22 CNB base images.I've also switched back to the
USER <name>
syntax instead ofUSER <id>
, since both are permitted by the OCI and CNB specs, and the former is (a) IMO more intuitive (eg for users needing to switch toroot
and back in their ownDockerfile
), (b) matches what Heroku-20/22 do.See also:
https://manpages.ubuntu.com/manpages/noble/en/man8/userdel.8.html
https://manpages.ubuntu.com/manpages/noble/en/man8/groupadd.8.html
Closes #268.
GUS-W-15342842.