[Breaking change]: New app
user in Linux container images
#35958
Labels
breaking-change
Indicates a .NET Core breaking change
doc-idea
Indicates issues that are suggestions for new topics [org][type][category]
Pri1
High priority, do before Pri2 and Pri3
📌 seQUESTered
Identifies that an issue has been imported into Quest.
Description
The .NET container images have included a new non-root user named
app
in its Linux container images. This new user can be opted-into to provide a number of security benefits as documented in "Secure your .NET cloud apps with rootless Linux Containers". The name of this user may conflict with an existing user defined by an application's Dockerfile.Version
.NET 8 Preview 1
Previous behavior
Prior to .NET 8, the Linux container images did not include any additional users beyond what was included by default in the base Linux container image (e.g. Debian, Alpine, Ubuntu).
New behavior
Starting in .NET 8, Linux container images now define a user named
app
that can be opted-into for additional security benefits. However, the name of this user may conflict with an existing user that was defined by the application's Dockerfile. If the application's Dockerfile attempts to create a user with the same name, an error may occur saying that the user already exists.Type of breaking change
Reason for change
This user was introduced to provide .NET users a great usability experience when wanting to better secure their containers. This is documented in depth at "Secure your .NET cloud apps with rootless Linux Containers".
Recommended action
If the application's Dockerfile attempts to create a new user with the same name as the existing
app
user, there are two options:app
user instead.Feature area
Deployment
Affected APIs
No response
Associated WorkItem - 118219
The text was updated successfully, but these errors were encountered: