fix(container-base): remove explicit user="root" from containerconfig#17619
fix(container-base): remove explicit user="root" from containerconfig#17619dethoma wants to merge 1 commit into
Conversation
All five <containerconfig> blocks (core, core-dev, distroless-minimal, distroless-base, distroless-debug) declared user="root", which kiwi maps to OCI Config.User="root" in the published image manifest. This diverges from Azure Linux 3.0 (Config.User=null) and from every mainstream distro base image (Debian, Ubuntu, Alpine, UBI, Fedora) which all leave Config.User unset. The OCI runtime default for an unset User is uid 0, so removing the attribute does not change effective runtime behavior - containers still run as root unless overridden. However, several security scanners and policy engines (Kyverno, OPA, Trivy, PodSecurity tooling) key off the literal Config.User value: an image that explicitly declares "root" is flagged where one with an unset User passes (and vice versa). Customers upgrading from 3.0 to 4.0 therefore see new policy violations with no Dockerfile change on their side - a real breaking change for the distroless variants in particular. Fixes: AB#20607 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Removes the explicit user="root" attribute from all <containerconfig> blocks in the container-base KIWI definition so the resulting OCI images publish with Config.User unset (null), matching Azure Linux 3.0 and common base-image behavior.
Changes:
- Dropped
user="root"from thecoreandcore-devcontainer configs. - Dropped
user="root"from the distrolessminimal,base, anddebugcontainer configs.
There was a problem hiding this comment.
suggestion: The code change is correct and LGTM. Verified that the Config.User is unset on core and distroless container variants, and matches AZL 3.0 and every peer distro.
Requesting commit message tweak: scanners like Trivy and Kubernetes PodSecurity don't evaluate solely on User="root". They treat an unset User identically to root. The scanner justification does not quite hold, so I recommend to remove that part of the justification.
Summary
All five
<containerconfig>blocks inbase/images/container-base/container-base.kiwi(core, core-dev, distroless-minimal, distroless-base, distroless-debug) declareuser="root", which kiwi maps to OCIConfig.User="root"in the published image manifest.This diverges from Azure Linux 3.0 (
Config.User=null) and from every mainstream distro base image (Debian, Ubuntu, Alpine, UBI, Fedora), which all leaveConfig.Userunset.Why this matters
The OCI runtime default for an unset User is uid 0, so removing the attribute does not change effective runtime behavior — the containers still run as root unless overridden by a downstream image.
However, several security scanners and policy engines (Kyverno, OPA, Trivy, Kubernetes PodSecurity tooling) key off the literal
Config.Uservalue: an image that explicitly declares"root"is flagged where one with an unset User passes (and vice versa). Customers upgrading from 3.0 to 4.0 therefore see new policy violations with no Dockerfile change on their side — a real breaking change, especially for the distroless variants which are exactly the images security-conscious consumers reach for.Repro
After this change, the 4.0 manifest will report
null, matching 3.0 and peer distros.Fixes: AB#20607