-
Notifications
You must be signed in to change notification settings - Fork 433
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.NET 8 isolated process run Docker image as non-root user #10164
Comments
@CooperLink - can you take a look at this issue? |
At this time Linux Dedicated images run in Root. As mentioned in known workarounds, running in Non-root mode can be achieved by assigning permissions to the home and azure-functions-host directories. Prior to dotnet8, the user APP was not in-built to dotnet docker images. To match existing docker images this will not be updated. Customer's that would like to run in user APP in Azure Functions on Linux Dedicated can use custom images with the proposed workarounds or they can migrate to Linux Consumption or the upcoming FlexConsumption sku where images are run in APP by default |
Thanks @CooperLink. Is it safe to close this issue as by design? |
Investigative information
Please provide the following:
Context
We updated our function apps to .NET 8 isolated process, then we created Docker images running as root user.
In the Azure Portal everything works as long as function is run by Docker as root user.
Following best practices, we wanted to run Docker container as non-root user - in-built within .NET 8 base image.
Repro steps
Expected behavior
Azure Function is running correctly.
No additional permissions should be required for in-built user or at least it should be achieved in secure way.
Actual behavior
There are runtime exceptions
And here are logs from Azure Portal
Known workarounds
Set additional permissions to in-built user
RUN chown -R $APP_UID:$APP_UID /azure-functions-host && chown -R $APP_UID:$APP_UID /home && chmod g+s /home
The text was updated successfully, but these errors were encountered: