Skip to content

Add non-root user support #4397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 39 commits into from
Feb 15, 2023
Merged

Add non-root user support #4397

Show file tree
Hide file tree
Changes from 37 commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
737fd53
Add 8.0 images with new non-root user
lbussell Jan 24, 2023
e71bc0b
Regenerate Dockerfiles
lbussell Jan 24, 2023
02e6241
All new dockerfiles build now
lbussell Jan 24, 2023
26c26ca
Add jammy-chiseled 8.0 runtime-deps files for new aspnet ports
lbussell Jan 27, 2023
fc176d8
Move aspnet sample back to net7.0
lbussell Jan 27, 2023
aee134e
Update environment variables for 8.0 dockerfiles
lbussell Jan 30, 2023
7773de5
WIP tests
lbussell Jan 30, 2023
670ec48
Try to clear tmp directory when running dotnet help
lbussell Feb 1, 2023
74311e6
Clean up Dockerfiles
lbussell Feb 7, 2023
452945b
Merge remote-tracking branch 'upstream/nightly' into feature/non-root…
lbussell Feb 7, 2023
a60cc4f
Remove commented out tests that don't run
lbussell Feb 7, 2023
dc8141a
Remove https port variables
lbussell Feb 7, 2023
3fced5d
.NET versions < 8.0 want the --urls argument
lbussell Feb 7, 2023
9130588
Address some review comments
lbussell Feb 7, 2023
0d68933
Clean up ports, run fx dependent test as non-root
lbussell Feb 7, 2023
cfff6d4
Fix debian home creation behavior
lbussell Feb 7, 2023
0ae0262
Fix aspnet sample base images
lbussell Feb 7, 2023
991f949
Add equals sign back in group add command
lbussell Feb 7, 2023
c0b37b0
I don't know why I swapped these arguments, swap them back
lbussell Feb 7, 2023
ebb8aed
Correctly pass through create-home variable to non-root-user template
lbussell Feb 7, 2023
b2e63de
Update image size baselines
lbussell Feb 8, 2023
bc2dcd8
Update templates to accommodate shadow-utils in Mariner
lbussell Feb 9, 2023
31aea92
Regenerate dockerfiles.
lbussell Feb 9, 2023
8984b4f
Remove redundant dependency list
lbussell Feb 9, 2023
afe6f03
Regenerate dockerfiles
lbussell Feb 9, 2023
20ea44f
Fix samples
lbussell Feb 9, 2023
98b3ba7
Fix Mariner home directory and fix formatting
lbussell Feb 9, 2023
26cad58
Remove --create-home from jammy and alpine
lbussell Feb 9, 2023
6d493d9
put additional packages in alphabetical order and clean up some logic
lbussell Feb 9, 2023
1a0fa36
Change aspnet port env var in 8.0+ monitor dockerfiles
lbussell Feb 10, 2023
8d775f5
Make version checks in tests more serviceable
lbussell Feb 10, 2023
c5aae01
Clean up version checks in tests
lbussell Feb 13, 2023
40d8c42
Look for new environment variable to be unset in monitor tests
lbussell Feb 13, 2023
a880a6a
Add args back
lbussell Feb 13, 2023
cc858da
Fix no-clean logic to only clean once in mariner 8.0
lbussell Feb 13, 2023
452e753
7.0 doesn't have non-root support
lbussell Feb 13, 2023
c0442d4
Install shadow-utils in line with non-root user in mariner
lbussell Feb 13, 2023
daaa7e3
Revert to old install-deps template
lbussell Feb 14, 2023
724e253
Fix indentation in install-deps template
lbussell Feb 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions README.runtime-deps.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,9 @@ Tags | Dockerfile | OS Version
Tags | Dockerfile | OS Version
-----------| -------------| -------------
8.0.0-preview.1-bookworm-slim-amd64, 8.0-preview-bookworm-slim-amd64, 8.0.0-preview.1, 8.0.0-preview.1-bookworm-slim, 8.0-preview, 8.0-preview-bookworm-slim, latest | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile) | Debian 12
8.0.0-preview.1-alpine3.17-amd64, 8.0-preview-alpine3.17-amd64, 8.0-preview-alpine-amd64, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/alpine3.17/amd64/Dockerfile) | Alpine 3.17
8.0.0-preview.1-jammy-amd64, 8.0-preview-jammy-amd64, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/jammy/amd64/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-jammy-chiseled-amd64, 8.0-preview-jammy-chiseled-amd64, 8.0.0-preview.1-jammy-chiseled, 8.0-preview-jammy-chiseled | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/jammy-chiseled/amd64/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-alpine3.17-amd64, 8.0-preview-alpine3.17-amd64, 8.0-preview-alpine-amd64, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile) | Alpine 3.17
8.0.0-preview.1-jammy-amd64, 8.0-preview-jammy-amd64, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/jammy/amd64/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-jammy-chiseled-amd64, 8.0-preview-jammy-chiseled-amd64, 8.0.0-preview.1-jammy-chiseled, 8.0-preview-jammy-chiseled | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile) | Ubuntu 22.04

## Linux arm64 Tags
Tags | Dockerfile | OS Version
Expand All @@ -83,9 +83,9 @@ Tags | Dockerfile | OS Version
Tags | Dockerfile | OS Version
-----------| -------------| -------------
8.0.0-preview.1-bookworm-slim-arm64v8, 8.0-preview-bookworm-slim-arm64v8, 8.0.0-preview.1, 8.0.0-preview.1-bookworm-slim, 8.0-preview, 8.0-preview-bookworm-slim, latest | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile) | Debian 12
8.0.0-preview.1-alpine3.17-arm64v8, 8.0-preview-alpine3.17-arm64v8, 8.0-preview-alpine-arm64v8, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/alpine3.17/arm64v8/Dockerfile) | Alpine 3.17
8.0.0-preview.1-jammy-arm64v8, 8.0-preview-jammy-arm64v8, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/jammy/arm64v8/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-jammy-chiseled-arm64v8, 8.0-preview-jammy-chiseled-arm64v8, 8.0.0-preview.1-jammy-chiseled, 8.0-preview-jammy-chiseled | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/jammy-chiseled/arm64v8/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-alpine3.17-arm64v8, 8.0-preview-alpine3.17-arm64v8, 8.0-preview-alpine-arm64v8, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile) | Alpine 3.17
8.0.0-preview.1-jammy-arm64v8, 8.0-preview-jammy-arm64v8, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-jammy-chiseled-arm64v8, 8.0-preview-jammy-chiseled-arm64v8, 8.0.0-preview.1-jammy-chiseled, 8.0-preview-jammy-chiseled | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile) | Ubuntu 22.04

## Linux arm32 Tags
Tags | Dockerfile | OS Version
Expand All @@ -104,8 +104,8 @@ Tags | Dockerfile | OS Version
Tags | Dockerfile | OS Version
-----------| -------------| -------------
8.0.0-preview.1-bookworm-slim-arm32v7, 8.0-preview-bookworm-slim-arm32v7, 8.0.0-preview.1, 8.0.0-preview.1-bookworm-slim, 8.0-preview, 8.0-preview-bookworm-slim, latest | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile) | Debian 12
8.0.0-preview.1-alpine3.17-arm32v7, 8.0-preview-alpine3.17-arm32v7, 8.0-preview-alpine-arm32v7, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/alpine3.17/arm32v7/Dockerfile) | Alpine 3.17
8.0.0-preview.1-jammy-arm32v7, 8.0-preview-jammy-arm32v7, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/jammy/arm32v7/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-alpine3.17-arm32v7, 8.0-preview-alpine3.17-arm32v7, 8.0-preview-alpine-arm32v7, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile) | Alpine 3.17
8.0.0-preview.1-jammy-arm32v7, 8.0-preview-jammy-arm32v7, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile) | Ubuntu 22.04

You can retrieve a list of all available tags for dotnet/nightly/runtime-deps at https://mcr.microsoft.com/v2/dotnet/nightly/runtime-deps/tags/list.
<!--End of generated tags-->
Expand Down
4 changes: 2 additions & 2 deletions eng/dockerfile-templates/Dockerfile.common-dotnet-envs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^
set isDistroless to find(OS_VERSION, "distroless") >= 0 || find(OS_VERSION, "chiseled") >= 0 ^
set lineContinuation to when(isWindows, "`", "\") ^
set port to when(isDistroless, "8080", "80")
set port to when(isDistroless || (dotnetVersion != "6.0" && dotnetVersion != "7.0"), "8080", "80")
}}ENV {{lineContinuation}}
# Configure web servers to bind to port {{port}} when present
ASPNETCORE_URLS=http://+:{{port}} {{lineContinuation}}
{{if dotnetVersion = "6.0" || dotnetVersion = "7.0":ASPNETCORE_URLS=http://+:{{port}}^else:ASPNETCORE_HTTP_PORTS={{port}}}} {{lineContinuation}}
{{InsertTemplate("Dockerfile.env.container")}}{{if isAlpine || (isDistroless && !(isMariner && find(OS_VERSION, "1.0") > 0)): {{lineContinuation}}
# Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20)
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true}}
21 changes: 6 additions & 15 deletions eng/dockerfile-templates/Dockerfile.linux.install-deps
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{{
_ ARGS:
isSdk (optional): Indicates whether the dependencies are installed for an sdk Dockerfile
distroless-staging-dir (optional): Location of the staging directory for distroless installation ^
distroless-staging-dir (optional): Location of the staging directory for distroless installation
additionalPkgs (optional): Additional packages to install ^

set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
set isAlpine to find(OS_ARCH_HYPHENATED, "Alpine") >= 0 ^
Expand Down Expand Up @@ -45,24 +45,15 @@
"libstdc++6",
"zlib1g"
])) ^
set certsPkgPrefix to when(isMariner,
[
when(isDistrolessMariner, "prebuilt-ca-certificates", "ca-certificates"),
"",
dotnetDepsComment
],
[
"ca-certificates",
"",
dotnetDepsComment
]) ^
set pkgs to when(ARGS["isSdk"], pkgs, cat(certsPkgPrefix, pkgs))
set certsPkg to when(isDistrolessMariner, "prebuilt-ca-certificates", "ca-certificates") ^
set additionalPkgs to when(defined(ARGS["additionalPkgs"]), sort(cat(ARGS["additionalPkgs"], [certsPkg])), [certsPkg]) ^
set pkgs to cat(additionalPkgs, ["", dotnetDepsComment], pkgs)
}}{{InsertTemplate("Dockerfile.linux.install-pkgs",
[
"pkgs": pkgs,
"noninteractive": (OS_VERSION = "focal"),
"pkg-mgr": when(isDistrolessMariner, when (find(OS_VERSION, "1.0") >= 0, "dnf", "tdnf"), ""),
"pkg-mgr-opts": when(isDistrolessMariner,
cat(" --releasever=", OS_VERSION_NUMBER, " --installroot ", ARGS["distroless-staging-dir"]),
""),
"")
])}}
7 changes: 4 additions & 3 deletions eng/dockerfile-templates/Dockerfile.linux.install-pkgs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@
pkgs: list of packages to install
pkg-mgr (optional): package manager to use
pkg-mgr-opts (optional): additional options to pass to the package manager
noninteractive (optional): whether to use noninteractive mode ^
noninteractive (optional): whether to use noninteractive mode
no-clean (optional): skip package manager cleanup after install ^

set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^
Expand All @@ -22,10 +23,10 @@ elif isTdnf:tdnf install -y{{ARGS["pkg-mgr-opts"]}} \^
else:apt-get update \
&&{{if ARGS["noninteractive"]: DEBIAN_FRONTEND=noninteractive}} apt-get install -y --no-install-recommends{{ARGS["pkg-mgr-opts"]}} \}}{{
for index, pkg in ARGS["pkgs"]:
{{pkg}}{{if appendPkgSuffix(pkg, index):{{if pkg != "": }}\}}}}{{
{{pkg}}{{if appendPkgSuffix(pkg, index):{{if pkg != "": }}\}}}}{{if !ARGS["no-clean"]:{{
if isTdnf:
&& tdnf clean all{{ARGS["pkg-mgr-opts"]}}^
elif isDnf:
&& dnf clean all{{ARGS["pkg-mgr-opts"]}}^
elif !isApk:
&& rm -rf /var/lib/apt/lists/*}}
&& rm -rf /var/lib/apt/lists/*}}}}
29 changes: 29 additions & 0 deletions eng/dockerfile-templates/Dockerfile.linux.remove-pkgs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{{
_ ARGS:
pkgs: list of packages to remove
pkg-mgr (optional): package manager to use
pkg-mgr-opts (optional): additional options to pass to the package manager
noninteractive (optional): whether to use noninteractive mode
no-clean (optional): skip package manager cleanup after install ^

set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^
set isDnf to ARGS["pkg-mgr"] = "dnf" ^
set isTdnf to ARGS["pkg-mgr"] = "tdnf" || (!isDnf && isMariner) ^
set isApk to ARGS["pkg-mgr"] = "apk" || isAlpine
}}{{
if isDnf:dnf remove -y{{ARGS["pkg-mgr-opts"]}} \^
elif isApk:apk del{{ARGS["pkg-mgr-opts"]}} \^
elif isTdnf:tdnf remove -y{{ARGS["pkg-mgr-opts"]}} \^
else:apt-get remove \
&&{{if ARGS["noninteractive"]: DEBIAN_FRONTEND=noninteractive}} apt-get remove -y {{ARGS["pkg-mgr-opts"]}} \}}{{
for index, pkg in ARGS["pkgs"]:
{{pkg}} \}}{{if !no-clean:{{
if isTdnf:
&& tdnf clean all{{ARGS["pkg-mgr-opts"]}}^
elif isDnf:
&& dnf autoremove{{ARGS["pkg-mgr-opts"]}} \
&& dnf clean all{{ARGS["pkg-mgr-opts"]}}^
elif !isApk:
&& apt-get autoremove \
&& rm -rf /var/lib/apt/lists/*}}}}
5 changes: 3 additions & 2 deletions eng/dockerfile-templates/monitor/Dockerfile.envs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@
_ .NET major version matches the major version of dotnet-monitor ^
set dotnetMajor to split(PRODUCT_VERSION, ".")[0]
}}ENV \
# Unset ASPNETCORE_URLS from aspnet base image
ASPNETCORE_URLS= \
{{if dotnetMajor != "6" && dotnetMajor != "7":# Unset ASPNETCORE_HTTP_PORTS from aspnet base image
ASPNETCORE_HTTP_PORTS= \^else:# Unset ASPNETCORE_URLS from aspnet base image
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jander-msft - I know you requested this. Can you explain the need for this?

Also, should the monitor Dockerfile be configured to run as non-root by default?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jander-msft - I know you requested this. Can you explain the need for this?

.NET Monitor already runs its HTTP server at ports 52323 and 52325 by default. Either setting ASPNETCORE_HTTP_PORTS would override that behavior (which we don't want by default) or it is not observed (which would be bad to insinuate that it has some effect when it does not); I think the former would be the case if the environment variable is specified. I will very later today that this is the case.

Also, should the monitor Dockerfile be configured to run as non-root by default?

That would be great if that could be added too. Although, if this change is only scoped to .NET 8+, then this work shouldn't be necessary because .NET Monitor is only offering distroless and chiseled images for .NET 8+, which should already be using the non-root user.

ASPNETCORE_URLS= \}}
# Disable debugger and profiler diagnostics to avoid diagnosing self.
COMPlus_EnableDiagnostics=0 \
# Default Filter
Expand Down
15 changes: 14 additions & 1 deletion eng/dockerfile-templates/runtime-deps/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,11 @@
set isRpmInstall to isMariner && dotnetVersion = "6.0" ^
set isSingleStage to !(isRpmInstall && isInternal) ^
set urlSuffix to when(isInternal, "$SAS_QUERY_STRING", "") ^
set rpmFilename to "dotnet-runtime-deps.rpm"
set rpmFilename to "dotnet-runtime-deps.rpm" ^
set utilPkgs to when(isMariner && dotnetVersion != "6.0" && dotnetVersion != "7.0", ["shadow-utils"], []) ^
set username to "app" ^
set uid to 101 ^
set gid to uid
}}{{
if !isSingleStage:# Installer image
}}FROM {{baseImageRepo}}:{{baseImageTag}}{{if !isSingleStage: AS installer}}{{ if isInternal && isRpmInstall:
Expand Down Expand Up @@ -52,5 +56,14 @@ RUN {{InsertTemplate("../Dockerfile.linux.install-deps")}}
"url-suffix": urlSuffix,
"filename": rpmFilename
])}}
}}{{if dotnetVersion != "6.0" && dotnetVersion != "7.0":
# Create a non-root user and group
RUN {{InsertTemplate("Dockerfile.linux.non-root-user",
[
"name": username,
"uid": uid,
"gid": gid,
"append-cmd": len(utilPkgs) > 0
])}}
}}
{{InsertTemplate("../Dockerfile.common-dotnet-envs")}}
6 changes: 2 additions & 4 deletions eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,15 @@ FROM {{ARCH_VERSIONED}}/ubuntu:{{osVersionBase}} as builder
RUN apt-get update && \
apt-get install -y ca-certificates

RUN {{InsertTemplate("Dockerfile.linux.distroless-user",
[
RUN {{InsertTemplate("Dockerfile.linux.distroless-user", [
"staging-dir": "/rootfs",
"exclusive": "true",
"create-dir": "true",
"name": username,
"uid": uid,
"gid": gid,
"create-home": "true"
],
" ")}}
])}}

COPY --from=chisel /opt/chisel/chisel /usr/bin/
RUN chisel cut --release "ubuntu-{{osVersionNumber}}" --root /rootfs \
Expand Down
5 changes: 2 additions & 3 deletions eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,8 @@ RUN {{InsertTemplate("Dockerfile.linux.distroless-user",
"name": username,
"uid": uid,
"gid": gid,
"create-home": createUserHome
],
" ")}}
"no-create-home": !createUserHome
])}}

# Clean up staging
RUN rm -rf {{distrolessStagingDir}}/etc/{{when(find(OS_VERSION, "1.0") >= 0, "dnf", "tdnf")}} \
Expand Down
44 changes: 20 additions & 24 deletions eng/dockerfile-templates/runtime-deps/Dockerfile.linux.distroless-user
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,28 +7,24 @@
name: Name of the user/group to create
uid: ID of the user to be created
gid: ID of the group to be created
create-home (optional): Indicates whether a home directory should be created for the user ^
no-create-home (optional): Indicates whether a home directory should be created for the user ^
set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0
}}groupadd \
--system \
--gid={{ARGS["gid"]}} \
{{ARGS["name"]}} \
&& adduser \
--uid {{ARGS["uid"]}} \
--gid {{ARGS["gid"]}} \
--shell /bin/false \{{if !ARGS["create-home"]:
--no-create-home \}}
--system \
{{ARGS["name"]}} \{{
if ARGS["create-home"]:
&& install -d -m 0755 -o {{ARGS["uid"]}} -g {{ARGS["gid"]}} "{{ARGS["staging-dir"]}}/home/{{ARGS["name"]}}" \}}{{
if ARGS["exclusive"]:{{if ARGS["create-dir"]:
&& mkdir -p "{{ARGS["staging-dir"]}}/etc" \}}
&& rootOrAppRegex='@^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "{{ARGS["staging-dir"]}}/etc/passwd" \
&& cat /etc/group | grep $rootOrAppRegex > "{{ARGS["staging-dir"]}}/etc/group"^
else:
# Copy user/group info to staging
&& cp /etc/passwd {{ARGS["staging-dir"]}}/etc/passwd \
&& cp /etc/group {{ARGS["staging-dir"]}}/etc/group}}
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^
set isAlpine to find(OS_VERSION, "alpine") >= 0
}}{{InsertTemplate("Dockerfile.linux.non-root-user",
[
"name": ARGS["name"],
"uid": ARGS["uid"],
"gid": ARGS["gid"],
"no-create-home": ARGS["no-create-home"]
])}} \{{if !ARGS["no-create-home"]:
&& install -d -m 0755 -o {{ARGS["uid"]}} -g {{ARGS["gid"]}} "{{ARGS["staging-dir"]}}/home/{{ARGS["name"]}}" \}}{{
if ARGS["exclusive"]:{{if ARGS["create-dir"]:
&& mkdir -p "{{ARGS["staging-dir"]}}/etc" \}}
&& rootOrAppRegex='@^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "{{ARGS["staging-dir"]}}/etc/passwd" \
&& cat /etc/group | grep $rootOrAppRegex > "{{ARGS["staging-dir"]}}/etc/group"^
else:
# Copy user/group info to staging
&& cp /etc/passwd {{ARGS["staging-dir"]}}/etc/passwd \
&& cp /etc/group {{ARGS["staging-dir"]}}/etc/group}}
32 changes: 32 additions & 0 deletions eng/dockerfile-templates/runtime-deps/Dockerfile.linux.non-root-user
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{
_ Configures a non-root user
_ ARGS:
name: Name of the user/group to create
uid: ID of the user to be created
gid: ID of the group to be created
no-create-home (optional): Indicates whether a home directory should be created for the user ^
set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
set isDebian to find(OS_ARCH_HYPHENATED, "Debian") >= 0 ^
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^
set isDistrolessMariner to defined(match(OS_VERSION, "^cbl-mariner\d+\.\d+-distroless$")) ^
set utilPkgs to when(isMariner && !isDistrolessMariner && dotnetVersion != "6.0" && dotnetVersion != "7.0", ["shadow-utils"], [])
}}{{if len(utilPkgs) > 0:{{InsertTemplate("../Dockerfile.linux.install-pkgs", [
"pkgs": utilPkgs,
"no-clean": "true"
])}}
&& }}{{if isAlpine:addgroup^else:groupadd}} \
--system \
--gid={{ARGS["gid"]}} \
{{ARGS["name"]}} \
&& {{if isDebian:useradd^else:adduser}} \
--uid {{ARGS["uid"]}} \
{{if isAlpine:--ingroup={{ARGS["name"]}}^else:--gid {{ARGS["gid"]}}}} \
--shell /bin/false \{{if ARGS["no-create-home"]:
--no-create-home \^elif dotnetVersion != "6.0" && dotnetVersion != "7.0" && (isMariner || isDebian):
--create-home \}}
--system \
{{ARGS["name"]}}{{if len(utilPkgs) > 0: \
&& {{InsertTemplate("../Dockerfile.linux.remove-pkgs", [
"pkgs": utilPkgs
], " ")}}}}
4 changes: 2 additions & 2 deletions eng/dockerfile-templates/sdk/Dockerfile.envs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
set isWindows to find(OS_VERSION, "nanoserver") >= 0 || find(OS_VERSION, "windowsservercore") >= 0 ^
set lineContinuation to when(isWindows, "`", "\")
}}ENV {{lineContinuation}}
}}ENV {{lineContinuation}}{{if dotnetVersion = "6.0" || dotnetVersion = "7.0":
# Unset ASPNETCORE_URLS from aspnet base image
ASPNETCORE_URLS= {{lineContinuation}}
ASPNETCORE_URLS= {{lineContinuation}}}}
# Do not generate certificate
DOTNET_GENERATE_ASPNET_CERTIFICATE=false {{lineContinuation}}
# Do not show first run text
Expand Down
1 change: 0 additions & 1 deletion eng/dockerfile-templates/sdk/Dockerfile.linux.first-run
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{{
_ ARGS
append-cmd: Indicates whether to append the command to an existing command

}}# Trigger first run experience by running arbitrary cmd
{{if ARGS["append-cmd"]:&&^else:RUN}} dotnet help
Loading