Should the .NET installation be owned by root in distroless images?

[jander-msft]

Currently, the .NET installation is owned by the root user in the distroless images, but there is no root user established within the image. Is this correct or should those files be owned by the app user? I'm not necessarily stating that this is wrong, but drawing attention to it to make sure that it is deliberately decided whichever way it should be.

In your host's shell:

docker run --rm -d --name monitor mcr.microsoft.com/dotnet/monitor:8.0-preview-ubuntu-chiseled
docker run --rm -it --name runtime --entrypoint /bin/sh --pid container:monitor -u 1654 mcr.microsoft.com/dotnet/runtime:8.0-preview-jammy

The monitor container is the one that we will be inspecting the file ownership, whereas the runtime container is used to provide a shell and file system access to the monitor container since the monitor container is distroless and does not contain a shell nor other executables; this container is sharing the process namespace of the monitor container, which allows access to the process information via procfs.

In the shell for the runtime container, find PID for the dotnet-monitor process and inspect ownership of dotnet installation for the file system associated with that process:

ls -la /proc/$(pidof dotnet-monitor)/root/usr/share/dotnet
total 168
drwxr-xr-x 1 root root  4096 Aug  8 15:25 .
drwxr-xr-x 1 root root  4096 Aug  8 15:24 ..
-rw-rw-r-- 1 root root  1116 Jul 25 19:30 LICENSE.txt
-rw-rw-r-- 1 root root 78664 Jul 25 19:30 ThirdPartyNotices.txt
-rwxr-xr-x 1 root root 69512 Jul 25 19:32 dotnet
drwxrwxr-x 3 root root  4096 Jul 25 19:37 host
drwxr-xr-x 1 root root  4096 Aug  8 15:25 shared

Note that all of the files and directories are owned by the root user and root group. This is because the installation is copied without using the --chown flag: https://github.com/dotnet/dotnet-docker/blob/main/src/runtime/8.0/jammy-chiseled/amd64/Dockerfile#L25

However, you can see that the /home/app directory is owned by the app user, as expected.

ls -la /proc/$(pidof dotnet-monitor)/root/home
drwxr-xr-x 1 root root 4096 Aug  8 15:24 .
drwxr-xr-x 1 root root 4096 Aug  9 19:08 ..
drwxr-xr-x 1 app  app  4096 Aug  9 19:08 app

This is because the app directory is copied using the --chown flag: https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile#L63

[mthalman]

There should be a root user, see #4122. It is intentional that these dotnet/system files be owned by root. If you're seeing that a root user does not exist, please file an issue.