HOME is set to / instead of /home/app in .NET 8.0 preview 6 image

[wazzamatazz]

Describe the Bug

First of all: I'm definitely a bit of a Docker novice, so please forgive me if I've misunderstood something here!

I've been experimenting with Docker on Linux on my Rasperry Pi and I've started seeing an issue since I updated an ASP.NET Core app to use mcr.microsoft.com/dotnet/aspnet:8.0.0-preview.6 as my base image (I'm targeting .NET 8.0 using the SDK container builds with preview 6 of the SDK).

Prior to the update, the app was using a file system-based store for ASP.NET Core data protection keys, but I'm now seeing that the logs have started specifying that the app is falling back to an ephemeral store instead of using the file system:

Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[59]
Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits.

I saw in the recent issues for this repository that the UID for the app user has changed and is now 1654 instead of the previous value of 64198 (#4693) so initially I thought that the problem was that the volume I had mapped to /home/app/.aspnet/DataProtection-Keys had the wrong permissions on it since it was configured to be owned by 64198 but the issue persists even after deleting and recreating the volume and then using chown to make 1654 the owner instead.

I can see from here that the ephemeral store is used if XmlKeyManager determines that the user profile is unavailable; it is considered to be unavailable if an exception is thrown when it calls DirectoryInfo.Create to ensure that the folder for storing the data protection keys in exists.

If I run sh on the container, I can see the the /home/app/.aspnet/DataProtection-Keys folder exists, but if I run echo ${HOME} the result is / instead of the expected /home/app. Additionally, I can see that echo ${APP_UID} returns 1654 as expected, but if I run the id command the output is uid=64198 gid=0(root) groups=0(root) i.e. it appears that the old UID is being used instead of the new one.

Based on the fact that HOME points at /, my best guess would be that the ASP.NET Core data protector is trying to ensure that the /.aspnet/DataProtection-Keys folder exists, an exception is being thrown, and the XmlKeyManager is falling back to using an ephemeral key store as a result.

Output of docker version

Client: Docker Engine - Community
 Version:           23.0.1
 API version:       1.42
 Go version:        go1.19.5
 Git commit:        a5ee5b1
 Built:             Thu Feb  9 19:46:41 2023
 OS/Arch:           linux/arm64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          23.0.1
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.5
  Git commit:       bc3805a
  Built:            Thu Feb  9 19:46:41 2023
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.16
  GitCommit:        31aa4358a36870b21a992d3ad2bef29e1d693bec
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker info

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.16.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 12
  Running: 9
  Paused: 0
  Stopped: 3
 Images: 99
 Server Version: 23.0.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 31aa4358a36870b21a992d3ad2bef29e1d693bec
 runc version: v1.1.4-0-g5fd4c4d
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.84-v8+
 Operating System: Debian GNU/Linux 11 (bullseye)
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 7.629GiB
 Name: vadelma
 ID: 6OLR:KODJ:JEPO:J5CU:YFH7:PGNV:ODO6:L5OO:R7UU:YZWE:U6ZU:EG26
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No memory limit support
WARNING: No swap limit support

[lbussell]

It sounds like you might be running your docker container as the user 64198 with the argument -u 64198. If that's the case, I recommend you use -u app and $APP_UID everywhere so that you don't have to know the UID when you run the container.

What should happen:

$ docker run --rm -u app mcr.microsoft.com/dotnet/aspnet:8.0.0-preview.6 /bin/sh -c 'echo HOME:$HOME APP_UID:$APP_UID\\nid: $(id)'
HOME:/home/app APP_UID:1654
id: uid=1654(app) gid=1654(app) groups=1654(app)

What might be happening in your case:

$ docker run --rm -u 64198 mcr.microsoft.com/dotnet/aspnet:8.0.0-preview.6 /bin/sh -c 'echo HOME:$HOME APP_UID:$APP_UID\\nid: $(id)'
HOME:/ APP_UID:1654
id: uid=64198 gid=0(root) groups=0(root)

[wazzamatazz]

Thanks for your reply.

I'm not doing anything that explicitly sets the user anywhere but the container previously ran as app without me having to do anything. I am using the built-in DefaultContainer profile in the .NET SDK to build the image rather than defining my own Dockerfile and I'm beginning to think that's actually where the issue is - maybe containers built using earlier versions of the .NET 8 SDK ran using app but that now has an opt-in flag somewhere instead?

One thing that I am definitely finding confusing here is that fact that UID 64198 is still being mentioned in the output of the id command when my understanding was that the UID should now be 1654 everywhere?

[wazzamatazz]

I've created an issue for this in the dotnet/sdk-container-builds repository - it looks like some things on the SDK side are still hard-coded to use the old UID which is what was causing my problem.

I'm happy for you to close this issue if you want.

[richlander]

@baronfel @rainersigwald

[baronfel]

Hoping to get dotnet/sdk#34128 into the preview7 release to unblock quickly, and we'll aim to have proper data-driven determination of the user based on environment variable values before .NET 8 GAs.

Workaround for now is to set your own value here for <ContainerUser> to the corrected value, I believe.

[baronfel]

This made it into preview7, so folks should be unblocked once that releases.

[mthalman]

Closing as this is covered by the container-build issue: dotnet/sdk-container-builds#479