New non-root 'app' user in Linux images

The .NET Linux container images include a new non-root user named app. You can opt in to this new user to provide security benefits. The name of this user may conflict with an existing user defined by an application's Dockerfile.

Previous behavior

Prior to .NET 8, the Linux container images did not include any additional users beyond what was included by default in the base Linux container image (for example, Debian, Alpine, and Ubuntu).

New behavior

Starting in .NET 8, Linux container images define a user named app that can be opted-into for additional security benefits. However, the name of this user may conflict with an existing user that was defined by the application's Dockerfile. If the application's Dockerfile attempts to create a user with the same name, an error might occur saying that the user already exists.

Version introduced

.NET 8 Preview 1

Type of change

This change is a behavioral change.

Reason for change

The new user was introduced to improve usability for securing containers.

If your application's Dockerfile attempts to create a new user with the same name as the existing app user, there are two options:

  • Update the Dockerfile to change the name of the user so that it no longer conflicts.
  • Remove the user creation logic and migrate to use the built-in app user instead.

Affected APIs

None.

See also