Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Breaking change]: New app user in Linux container images #35958

Closed
1 of 3 tasks
mthalman opened this issue Jun 26, 2023 · 0 comments · Fixed by #36238
Closed
1 of 3 tasks

[Breaking change]: New app user in Linux container images #35958

mthalman opened this issue Jun 26, 2023 · 0 comments · Fixed by #36238
Assignees
@gewarren
Labels
breaking-change Indicates a .NET Core breaking change doc-idea Indicates issues that are suggestions for new topics [org][type][category] Pri1 High priority, do before Pri2 and Pri3 📌 seQUESTered Identifies that an issue has been imported into Quest.

Comments

@mthalman
Copy link
Member

mthalman commented Jun 26, 2023
edited by github-actions bot
Loading

Description

The .NET container images have included a new non-root user named app in its Linux container images. This new user can be opted-into to provide a number of security benefits as documented in "Secure your .NET cloud apps with rootless Linux Containers". The name of this user may conflict with an existing user defined by an application's Dockerfile.

Version

.NET 8 Preview 1

Previous behavior

Prior to .NET 8, the Linux container images did not include any additional users beyond what was included by default in the base Linux container image (e.g. Debian, Alpine, Ubuntu).

New behavior

Starting in .NET 8, Linux container images now define a user named app that can be opted-into for additional security benefits. However, the name of this user may conflict with an existing user that was defined by the application's Dockerfile. If the application's Dockerfile attempts to create a user with the same name, an error may occur saying that the user already exists.

Type of breaking change

  • Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
  • Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code may require source changes to compile successfully.
  • Behavioral change: Existing binaries may behave differently at run time.

Reason for change

This user was introduced to provide .NET users a great usability experience when wanting to better secure their containers. This is documented in depth at "Secure your .NET cloud apps with rootless Linux Containers".

Recommended action

If the application's Dockerfile attempts to create a new user with the same name as the existing app user, there are two options:

  • Update the Dockerfile to change the name of the user so that it no longer conflicts.
  • Remove the user creation logic and migrate to use the built-in app user instead.

Feature area

Deployment

Affected APIs

No response

Associated WorkItem - 118219
@mthalman mthalman added doc-idea Indicates issues that are suggestions for new topics [org][type][category] breaking-change Indicates a .NET Core breaking change Pri1 High priority, do before Pri2 and Pri3 labels Jun 26, 2023
@dotnet-bot dotnet-bot added the ⌚ Not Triaged Not triaged label Jun 26, 2023
@mthalman mthalman mentioned this issue Jun 26, 2023
Merged
@gewarren gewarren added 🗺️ reQUEST Triggers an issue to be imported into Quest. and removed ⌚ Not Triaged Not triaged labels Jun 27, 2023
@github-actions github-actions bot added 📌 seQUESTered Identifies that an issue has been imported into Quest. and removed 🗺️ reQUEST Triggers an issue to be imported into Quest. labels Jun 28, 2023
@gewarren gewarren mentioned this issue Jul 12, 2023
Merged
@ghost ghost added in-pr This issue will be closed (fixed) by an active pull request. and removed in-pr This issue will be closed (fixed) by an active pull request. labels Jul 12, 2023
@ghost ghost removed the in-pr This issue will be closed (fixed) by an active pull request. label Jul 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gewarren gewarren

Labels
breaking-change Indicates a .NET Core breaking change doc-idea Indicates issues that are suggestions for new topics [org][type][category] Pri1 High priority, do before Pri2 and Pri3 📌 seQUESTered Identifies that an issue has been imported into Quest.
Projects
No open projects
dotnet/docs July 2023 sprint
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Container breaking changes gewarren/docs
3 participants
@dotnet-bot @mthalman @gewarren