cloud-images

docker: the docker image started including ubuntu user/group

Bug #2064537 reported by Marcin Dulak on 2024-05-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	cloud-images	Won't Fix	Undecided	Cristovao Cordeiro

Bug Description

Reported also at https://bugs.launchpad.net/ubuntu-docker-images/+bug/2064536

The issue is about the `docker run --rm -it --name ubuntu ubuntu:latest` image.
I don't know when the problem started, I was only able to get the image sha that does not include the ubuntu user/group, and the latest image that does include them.

Noote that this is a breaking change. It will cause problems for people who until now used to create a user/group with the default ids 1000 when building custom images based on ubuntu.

1. Old image working as expected: no ubuntu user/group is present

docker run --rm -it --name ubuntu ubuntu@sha256:77906da86b60585ce12215807090eb327e7386c8fafb5402369e421f44eff17e bash -c "grep 1000 /etc/passwd /etc/group || echo no 1000 user/group"
# Output
# no 1000 user/group

docker run --rm -it --name ubuntu ubuntu@sha256:77906da86b60585ce12215807090eb327e7386c8fafb5402369e421f44eff17e bash -c "cat /etc/cloud/build.info"
# Output
# serial: 20240227

2. New image not working as expected: ubuntu user/group is present

docker run --rm -it --name ubuntu ubuntu@sha256:562456a05a0dbd62a671c1854868862a4687bf979a96d48ae8e766642cd911e8 bash -c "grep 1000 /etc/passwd /etc/group || echo no 1000 user/group"
# Output
# /etc/passwd:ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
# /etc/group:ubuntu:x:1000:

docker run --rm -it --name ubuntu ubuntu@sha256:562456a05a0dbd62a671c1854868862a4687bf979a96d48ae8e766642cd911e8 bash -c "cat /etc/cloud/build.info"
# Output
# build_name: ubuntu-oci:minimized
# serial: 20240423

See original description

Marcin Dulak (marcin-dulak) on 2024-05-01

description:	updated
description:	updated

Marcin Dulak (marcin-dulak) on 2024-05-01

description:

updated

Revision history for this message

Cristovao Cordeiro (cjdc) wrote on 2024-05-02:

Hi Marcin!

This is indeed the behaviour since 23.04.

A more detailed explanation of the change is described in another thread, here: https://bugs.launchpad.net/cloud-images/+bug/2005129/comments/2

The change has only been applied to >=23.04 precisely to avoid breaking existing use cases. Please note that the "latest" tag is a moving target, so you should expect it to always point to the latest Ubuntu release, which may carry significant changes (whether that's different package versions, image metadata or system configurations).

Like https://bugs.launchpad.net/cloud-images/+bug/2005129, I'll be marking this as a "Won't fix" since the rationale for the change and its value are explained in https://bugs.launchpad.net/cloud-images/+bug/2005129/comments/2.

The thread will remain open for discussions if you need extra clarifications though.

Changed in cloud-images:
assignee:	nobody → Cristovao Cordeiro (cjdc)
status:	New → Won't Fix

Revision history for this message

Marcin Dulak (marcin-dulak) wrote on 2024-05-06:

> The change has only been applied to >=23.04 precisely to avoid breaking existing use cases.

Would you be able to point me to any written discussion before the decision of adding the user/group was made, I mean other than post explanations that it has been applied? I would like to see what considerations were used.

Revision history for this message

Cristovao Cordeiro (cjdc) wrote on 2024-05-06:

Sure. I'm afraid the references we have are all internal, but I'll capture the main motivation and rationale here:
- in order to improve security, there's a general move to make containers run with a nonroot user. Although the Ubuntu container runs as root, it is mostly used as a base for building production images, and thus we wanted to provide an off-the-shelf and well-defined nonroot user that developers can piggy back on
- this is already practice in other environments. E.g. in cloud images, the ubuntu user is created by the cloud-init scripts. In OCI, this is not a thing. But we want to have that user anyway, with the same properties (i.e. UID, group, GID, etc), such that the experience is uniform
- we didn't want to create a disruption for existing usages, so we decided to introduce this user only for newer ubuntu releases, and starting with an interim one - 23.04 at the time
- this decision accounted for users who could've been using UID 1000 at the time, and it is specifically the reason why we only did it from >=23.04
- some users of the `latest` could still be affected but this was a compromise we were willing to take, as the `latest` tag is known to be subject to changes due to it being a moving target by nature

I hope this helps.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.