New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.NET's non-root UID 64198 exceeds Debian's UID_MAX of 60000 #4693
Comments
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
cc @richlander How many times do we need to change the UID? 😢 |
Proposal: % dotnet run
d: 100
o: 111
t: 116
n: 110
e: 101
t: 116
Sum: 654
60000 - 654: 59346 Code: string dotnet = "dotnet";
int sum = 0;
int maxUID = 60000;
foreach (var c in dotnet)
{
Console.WriteLine($"{c}: {(int)c}");
sum += c;
}
Console.WriteLine($"Sum: {sum}");
Console.WriteLine($"{maxUID} - {sum}: {maxUID - sum}"); |
The non-root user on Red Hat images has a uid of |
I started by reading this wiki page: https://en.wikipedia.org/wiki/User_identifier#Conventions. It is possible I got confused by the large numbers. I don't think we're wedded to any one number.
|
This is a relevant sentence from that article:
I think the key is to have a value that will be usable for all types of host systems. One of the factors we need to consider is volume mounting with the container running as the non-root user. In such cases, the host system will need to have a matching UID in order to allow for the appropriate permissions in the mounted volume. For that reason, we essentially want a UID that is in the "lowest-common-denominator" of UID ranges amongst the set of distros we consider to be important enough for this scenario. |
Yes, a value like this, which is @mthalman I don't understand what you mean. Is |
Sorry, I didn't mean to imply that number wasn't good. I was just adding some commentary on what the requirement should be here. A number like 1654 seems sufficient. |
Good thing we hid the UID behind an ENV. |
Changed to |
@lbussell security scanning vendors recommend a UID of at least 10000 to avoid conflicts with the user table on Kubernetes nodes that host the container: Can the UID be changed (again) to something between 10000 and 60000? @richlander proposed 59346, that comment appears to have been overlooked. |
I haven't seen base images with a uid that high. Because there is a link to |
I doubt any base images are going to address this. It is a binary breaking change. We will take another look at it if other popular base image providers change their built in user to address this. This is an issue that users can resolve themselves if they are motivated. This is how the app user is created: dotnet-docker/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile Lines 26 to 33 in 6f32b91
|
Debian Bookworm has a UID_MAX set to 60000, resulting in this warning when creating a non-root user:
The text was updated successfully, but these errors were encountered: