Skip to content

[Breaking change]: New app user in Linux container images #35958

New issue
New issue
Closed
#36238
Closed
[Breaking change]: New app user in Linux container images#35958
#36238
Assignees
gewarren
Labels
📌 seQUESTeredIdentifies that an issue has been imported into Quest.breaking-changeIndicates a .NET Core breaking change
@mthalman

Description

@mthalman
mthalman
opened on Jun 26, 2023

Description

The .NET container images have included a new non-root user named app in its Linux container images. This new user can be opted-into to provide a number of security benefits as documented in "Secure your .NET cloud apps with rootless Linux Containers". The name of this user may conflict with an existing user defined by an application's Dockerfile.

Version

.NET 8 Preview 1

Previous behavior

Prior to .NET 8, the Linux container images did not include any additional users beyond what was included by default in the base Linux container image (e.g. Debian, Alpine, Ubuntu).

New behavior

Starting in .NET 8, Linux container images now define a user named app that can be opted-into for additional security benefits. However, the name of this user may conflict with an existing user that was defined by the application's Dockerfile. If the application's Dockerfile attempts to create a user with the same name, an error may occur saying that the user already exists.

Type of breaking change

  • Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
  • Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code may require source changes to compile successfully.
  • Behavioral change: Existing binaries may behave differently at run time.

Reason for change

This user was introduced to provide .NET users a great usability experience when wanting to better secure their containers. This is documented in depth at "Secure your .NET cloud apps with rootless Linux Containers".

Recommended action

If the application's Dockerfile attempts to create a new user with the same name as the existing app user, there are two options:

  • Update the Dockerfile to change the name of the user so that it no longer conflicts.
  • Remove the user creation logic and migrate to use the built-in app user instead.

Feature area

Deployment

Affected APIs

No response

Associated WorkItem - 118219

Metadata

Metadata

Assignees

Labels

📌 seQUESTeredIdentifies that an issue has been imported into Quest.breaking-changeIndicates a .NET Core breaking change

Type

No type

Projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions