Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.NET's non-root UID 64198 exceeds Debian's UID_MAX of 60000 #4693

Closed
lbussell opened this issue Jun 22, 2023 · 13 comments
Closed

.NET's non-root UID 64198 exceeds Debian's UID_MAX of 60000 #4693

lbussell opened this issue Jun 22, 2023 · 13 comments
Assignees
@lbussell
Labels
area-dockerfiles bug
Milestone
.NET 8

Comments

@lbussell
Copy link
Contributor

Debian Bookworm has a UID_MAX set to 60000, resulting in this warning when creating a non-root user:

#6 [3/3] RUN groupadd         --gid=64198         app     && useradd -l         --uid=64198         --gid=64198         --create-home         app
#6 0.610 useradd warning: app's uid 64198 outside of the UID_MIN 1000 and UID_MAX 60000 range.
#6 DONE 0.7s
@lbussell lbussell added the bug label Jun 22, 2023
@dotnet-issue-labeler
Copy link

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

@mthalman
Copy link
Member

cc @richlander

How many times do we need to change the UID? 😢

@mthalman mthalman added this to the .NET 8 milestone Jun 28, 2023
@richlander
Copy link
Member

richlander commented Jun 28, 2023
edited

Proposal: 59346

% dotnet run
d: 100
o: 111
t: 116
n: 110
e: 101
t: 116
Sum: 654
60000 - 654: 59346

Code:

string dotnet = "dotnet";
int sum = 0;
int maxUID = 60000;

foreach (var c in dotnet)
{
    Console.WriteLine($"{c}: {(int)c}");
    sum += c;
}

Console.WriteLine($"Sum: {sum}");

Console.WriteLine($"{maxUID} - {sum}: {maxUID - sum}");

@tmds
Copy link
Member

tmds commented Jun 28, 2023

The non-root user on Red Hat images has a uid of 1001.
Is there a reason you pick such high values?

@richlander
Copy link
Member

I started by reading this wiki page: https://en.wikipedia.org/wiki/User_identifier#Conventions. It is possible I got confused by the large numbers.

I don't think we're wedded to any one number.

1654 would be 1000 + dotnet. The UID doesn't have to be unique, but it is also arbitrary.

@mthalman
Copy link
Member

I started by reading this wiki page: https://en.wikipedia.org/wiki/User_identifier#Conventions. It is possible I got confused by the large numbers.

This is a relevant sentence from that article:

Central UID allocations in enterprise networks (e.g., via LDAP and NFS servers) may limit themselves to using only UID numbers well above 1000, and outside the range 60000–65535, to avoid potential conflicts with UIDs locally allocated on client computers.

I think the key is to have a value that will be usable for all types of host systems. One of the factors we need to consider is volume mounting with the container running as the non-root user. In such cases, the host system will need to have a matching UID in order to allow for the appropriate permissions in the mounted volume. For that reason, we essentially want a UID that is in the "lowest-common-denominator" of UID ranges amongst the set of distros we consider to be important enough for this scenario.

@tmds
Copy link
Member

tmds commented Jun 28, 2023

1654 would be 1000 + dotnet.

Yes, a value like this, which is 1000 or higher, but not too high.

@mthalman I don't understand what you mean. Is 1654 an appropriate value? Or should it be in a different range?

@mthalman
Copy link
Member

Sorry, I didn't mean to imply that number wasn't good. I was just adding some commentary on what the requirement should be here. A number like 1654 seems sufficient.

@richlander
Copy link
Member

Good thing we hid the UID behind an ENV.

@lbussell lbussell mentioned this issue Jun 30, 2023
Merged
@lbussell
Copy link
Contributor Author

lbussell commented Jul 5, 2023

Changed to 1654 in #4715.

@lbussell lbussell closed this as completed Jul 5, 2023
@wazzamatazz wazzamatazz mentioned this issue Jul 19, 2023
Closed
@sliekens
Copy link

@lbussell security scanning vendors recommend a UID of at least 10000 to avoid conflicts with the user table on Kubernetes nodes that host the container:
https://avd.aquasec.com/misconfig/kubernetes/general/avd-ksv-0020/

Can the UID be changed (again) to something between 10000 and 60000? @richlander proposed 59346, that comment appears to have been overlooked.

@tmds
Copy link
Member

tmds commented Apr 22, 2024

security scanning vendors recommend a UID of at least 10000 to avoid conflicts with the user table on Kubernetes nodes that host the container:
https://avd.aquasec.com/misconfig/kubernetes/general/avd-ksv-0020/

I haven't seen base images with a uid that high. Because there is a link to containers[].securityContext.runAsUser I think this is a recommendation to set runAsUser > 10000.

@richlander
Copy link
Member

richlander commented Apr 22, 2024
edited

I doubt any base images are going to address this. It is a binary breaking change. We will take another look at it if other popular base image providers change their built in user to address this.

This is an issue that users can resolve themselves if they are motivated.

This is how the app user is created:

dotnet-docker/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile

Lines 26 to 33 in 6f32b91

RUN groupadd \
--gid=$APP_UID \
app \
&& useradd -l \
--uid=$APP_UID \
--gid=$APP_UID \
--create-home \
app

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lbussell lbussell

Labels
area-dockerfiles bug
Projects
.NET Docker
Status: Done
Milestone
.NET 8
Development

No branches or pull requests
5 participants
@tmds @sliekens @richlander @mthalman @lbussell