Skip to content

Commit

Permalink
Add ENV variable for app user ID (#4508)
Browse files Browse the repository at this point in the history
  • Loading branch information
lbussell authored Mar 27, 2023
1 parent 0666415 commit 5c63e8d
Show file tree
Hide file tree
Showing 27 changed files with 90 additions and 12 deletions.
6 changes: 5 additions & 1 deletion eng/dockerfile-templates/Dockerfile.common-dotnet-envs
Original file line number Diff line number Diff line change
@@ -1,12 +1,16 @@
{{
_ ARGS:
uid (optional): ID of the non-root user ^
set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
set isWindows to find(OS_VERSION, "nanoserver") >= 0 || find(OS_VERSION, "windowsservercore") >= 0 ^
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^
set isDistroless to find(OS_VERSION, "distroless") >= 0 || find(OS_VERSION, "chiseled") >= 0 ^
set lineContinuation to when(isWindows, "`", "\") ^
set port to when(isDistroless || (dotnetVersion != "6.0" && dotnetVersion != "7.0"), "8080", "80")
}}ENV {{lineContinuation}}
}}ENV {{lineContinuation}}{{if (!isWindows && dotnetVersion != "6.0" && dotnetVersion != "7.0") || (isDistroless && !isMariner):
# UID of the non-root user 'app'
APP_UID={{ARGS["uid"]}} {{lineContinuation}}}}
# Configure web servers to bind to port {{port}} when present
{{if dotnetVersion = "6.0" || dotnetVersion = "7.0":ASPNETCORE_URLS=http://+:{{port}}^else:ASPNETCORE_HTTP_PORTS={{port}}}} {{lineContinuation}}
{{InsertTemplate("Dockerfile.env.container")}}{{if isAlpine || (isDistroless && !(isMariner && find(OS_VERSION, "1.0") > 0)): {{lineContinuation}}
Expand Down
4 changes: 3 additions & 1 deletion eng/dockerfile-templates/runtime-deps/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -66,4 +66,6 @@ RUN {{InsertTemplate("Dockerfile.linux.non-root-user",
"append-cmd": len(utilPkgs) > 0
])}}
}}
{{InsertTemplate("../Dockerfile.common-dotnet-envs")}}
{{InsertTemplate("../Dockerfile.common-dotnet-envs", [
"uid": uid
])}}
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ COPY --from=builder /rootfs /
# Workaround for https://github.com/moby/moby/issues/38710
COPY --from=builder --chown={{uid}}:{{gid}} /rootfs/home/{{username}} /home/{{username}}

{{InsertTemplate("../Dockerfile.common-dotnet-envs")}}
{{InsertTemplate("../Dockerfile.common-dotnet-envs", [
"uid": uid
])}}

USER app
USER $APP_UID
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@ COPY --from=installer {{distrolessStagingDir}}/ /{{if createUserHome:
# Workaround for https://github.com/moby/moby/issues/38710
COPY --from=installer --chown={{uid}}:{{gid}} {{distrolessStagingDir}}/home/{{username}} /home/{{username}}}}

{{InsertTemplate("../Dockerfile.common-dotnet-envs")}}
{{InsertTemplate("../Dockerfile.common-dotnet-envs", [
"uid": uid
])}}

USER app
4 changes: 3 additions & 1 deletion src/runtime-deps/6.0/jammy-chiseled/amd64/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,13 @@ COPY --from=builder /rootfs /
COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_URLS=http://+:8080 \
# Enable detection of running in a container
DOTNET_RUNNING_IN_CONTAINER=true \
# Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20)
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true

USER app
USER $APP_UID
4 changes: 3 additions & 1 deletion src/runtime-deps/6.0/jammy-chiseled/arm32v7/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,13 @@ COPY --from=builder /rootfs /
COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_URLS=http://+:8080 \
# Enable detection of running in a container
DOTNET_RUNNING_IN_CONTAINER=true \
# Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20)
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true

USER app
USER $APP_UID
4 changes: 3 additions & 1 deletion src/runtime-deps/6.0/jammy-chiseled/arm64v8/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,13 @@ COPY --from=builder /rootfs /
COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_URLS=http://+:8080 \
# Enable detection of running in a container
DOTNET_RUNNING_IN_CONTAINER=true \
# Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20)
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true

USER app
USER $APP_UID
2 changes: 2 additions & 0 deletions src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ RUN addgroup \
app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
2 changes: 2 additions & 0 deletions src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ RUN addgroup \
app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
2 changes: 2 additions & 0 deletions src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ RUN addgroup \
app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
2 changes: 2 additions & 0 deletions src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ RUN groupadd \
app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
2 changes: 2 additions & 0 deletions src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ RUN groupadd \
app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
2 changes: 2 additions & 0 deletions src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ RUN groupadd \
app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@ COPY --from=installer /staging/ /
COPY --from=installer --chown=64198:64198 /staging/home/app /home/app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@ COPY --from=installer /staging/ /
COPY --from=installer --chown=64198:64198 /staging/home/app /home/app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
2 changes: 2 additions & 0 deletions src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ RUN tdnf install -y \
&& tdnf clean all

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
2 changes: 2 additions & 0 deletions src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ RUN tdnf install -y \
&& tdnf clean all

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
4 changes: 3 additions & 1 deletion src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,13 @@ COPY --from=builder /rootfs /
COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
DOTNET_RUNNING_IN_CONTAINER=true \
# Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20)
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true

USER app
USER $APP_UID
4 changes: 3 additions & 1 deletion src/runtime-deps/8.0/jammy-chiseled/arm32v7/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,13 @@ COPY --from=builder /rootfs /
COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
DOTNET_RUNNING_IN_CONTAINER=true \
# Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20)
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true

USER app
USER $APP_UID
4 changes: 3 additions & 1 deletion src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,13 @@ COPY --from=builder /rootfs /
COPY --from=builder --chown=64198:64198 /rootfs/home/app /home/app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
DOTNET_RUNNING_IN_CONTAINER=true \
# Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20)
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true

USER app
USER $APP_UID
2 changes: 2 additions & 0 deletions src/runtime-deps/8.0/jammy/amd64/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ RUN groupadd \
app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
2 changes: 2 additions & 0 deletions src/runtime-deps/8.0/jammy/arm32v7/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ RUN groupadd \
app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
2 changes: 2 additions & 0 deletions src/runtime-deps/8.0/jammy/arm64v8/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ RUN groupadd \
app

ENV \
# UID of the non-root user 'app'
APP_UID=64198 \
# Configure web servers to bind to port 8080 when present
ASPNETCORE_HTTP_PORTS=8080 \
# Enable detection of running in a container
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ protected void VerifyCommonEnvironmentVariables(
List<EnvironmentVariableInfo> variables = new List<EnvironmentVariableInfo>();
variables.AddRange(GetCommonEnvironmentVariables());

if (!imageData.IsWindows && imageData.Version.Major != 6 && imageData.Version.Major != 7)
{
variables.Add(new EnvironmentVariableInfo("APP_UID", imageData.NonRootUID?.ToString()));
}

if (imageData.VersionFamily.Major <= 7)
{
variables.Add(new EnvironmentVariableInfo("ASPNETCORE_URLS", $"http://+:{imageData.DefaultPort}"));
Expand Down
1 change: 1 addition & 0 deletions tests/Microsoft.DotNet.Docker.Tests/ImageData.cs
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ public abstract class ImageData
public string OS { get; set; }
public bool IsDistroless => OS.Contains("distroless") || OS.Contains("chiseled");
public virtual int DefaultPort => IsDistroless ? 8080 : 80;
public virtual int? NonRootUID => IsWindows ? null : 64198;

private static readonly Lazy<JObject> s_imageInfoData;

Expand Down
17 changes: 17 additions & 0 deletions tests/Microsoft.DotNet.Docker.Tests/ProductImageData.cs
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,23 @@ public ImageVersion VersionFamily

public override int DefaultPort => (IsDistroless | Version.Major >= 8) ? 8080 : 80;

public override int? NonRootUID {
get {
if (OS == Tests.OS.Mariner10Distroless)
{
return 1000;
}
else if (OS == Tests.OS.Mariner20Distroless && (Version.Major == 6 || Version.Major == 7))
{
return 101;
}
else
{
return base.NonRootUID;
}
}
}

public string GetDockerfilePath(DotNetImageType imageType) =>
$"src/{GetVariantName(imageType)}/{Version}/{OSTag}/{GetArchLabel()}";

Expand Down
9 changes: 8 additions & 1 deletion tests/Microsoft.DotNet.Docker.Tests/ProductImageTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,14 @@ protected void VerifyCommonDefaultUser(ProductImageData imageData)
string expectedUser;
if (imageData.IsDistroless && ImageType != DotNetImageType.SDK)
{
expectedUser = "app";
if (imageData.OS.Contains("cbl-mariner"))
{
expectedUser = "app";
}
else
{
expectedUser = imageData.NonRootUID.ToString();
}
}
// For Windows, only Nano Server defines a user, which seems wrong.
// I've logged https://dev.azure.com/microsoft/OS/_workitems/edit/40146885 for this.
Expand Down

0 comments on commit 5c63e8d

Please sign in to comment.