Until Alpine 3.19, a Dockerfile based on Alpine with .NET 6 used to have a line, which created group and user "app", with limited rights, like this:
RUN addgroup -S app && adduser -S app -G app
The Dockerfile would end with:
USER app
ENTRYPOINT ["./entrypoint.sh"]
With Alpine 3.20 and NET 8,
FROM mcr.microsoft.com/dotnet/aspnet:8.0.8-alpine3.20
(similar for SDK)
the build complained, that group/user "app" already exists. Omitting the line made the image build work again.
While this looks nice, I can't find it documented anywhere. I'm not so very familiar with Docker and Alpine linux, so where did I miss the documentation?
This is a behavioral change introduced with .NET 8 - see the New non-root 'app' user in Linux images:
Starting in .NET 8, Linux container images define a user named
app
that can be opted-into for additional security benefits. However, the name of this user may conflict with an existing user that was defined by the application's Dockerfile. If the application's Dockerfile attempts to create a user with the same name, an error might occur saying that the user already exists.
group though is not mentioned in the docs.
But you can check the source code. For example for alpine3.20/amd64 /Dockerfile
:
# Create a non-root user and group
RUN addgroup \
--gid=$APP_UID \
app \
&& adduser \
--uid=$APP_UID \
--ingroup=app \
--disabled-password \
app
Which uses the "same settings" for group and user.