Merge branch 'develop' into main

src/docker/Dockerfile-bookworm

@@ -4,7 +4,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0-preview-bookworm-slim as base
 ENV DEBIAN_FRONTEND noninteractive
 
 # Configure local user
-ENV USER root
+USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -188,17 +188,23 @@ RUN rm arch.sh
 ENV PYTHONDONTWRITEBYTECODE=
 ENV PIP_BREAK_SYSTEM_PACKAGES=
 
+# Configure startup
+COPY uid_entrypoint.sh /
+RUN chmod a=rx /uid_entrypoint.sh \
+    && chmod a+w /etc/passwd /etc/shadow
+ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
+
 # Configure local user
-RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && chown -R ${USER} /run/user/0 ${HOME} \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
-USER 0:0
-ENV XDG_RUNTIME_DIR=/run/user/0
+ENV USER app-user
+RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
+    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
 ENV TMPDIR=${HOME}/.local/tmp
-ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
+
 # Run as exec form, so that it can receive signals from Tini
+USER ${USER}
 CMD ["bash", "start.sh"]

src/docker/Dockerfile-bullseye

@@ -4,7 +4,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim as base
 ENV DEBIAN_FRONTEND noninteractive
 
 # Configure local user
-ENV USER root
+USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -148,7 +148,6 @@ ENV TINI_VERSION ${TINI_VERSION}
 RUN curl -LsSf --retry 3 https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$(ARCH_X64=amd64 bash arch.sh) -o /tini \
     && chmod +x /tini \
     && /tini --version
-ENTRYPOINT ["/tini", "--"]
 
 # Install BuildKit, then verify installation
 ARG BUILDKIT_VERSION
@@ -184,17 +183,23 @@ RUN rm arch.sh
 # Reset Python configs to default
 ENV PYTHONDONTWRITEBYTECODE=
 
+# Configure startup
+COPY uid_entrypoint.sh /
+RUN chmod a=rx /uid_entrypoint.sh \
+    && chmod a+w /etc/passwd /etc/shadow
+ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
+
 # Configure local user
-RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && chown -R ${USER} /run/user/0 ${HOME} \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
-USER 0:0
-ENV XDG_RUNTIME_DIR=/run/user/0
+ENV USER app-user
+RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
+    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
 ENV TMPDIR=${HOME}/.local/tmp
-ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
+
 # Run as exec form, so that it can receive signals from Tini
+USER ${USER}
 CMD ["bash", "start.sh"]

src/docker/Dockerfile-focal

@@ -4,7 +4,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0-focal as base
 ENV DEBIAN_FRONTEND noninteractive
 
 # Configure local user
-ENV USER root
+USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -185,17 +185,23 @@ RUN rm arch.sh
 # Reset Python configs to default
 ENV PYTHONDONTWRITEBYTECODE=
 
+# Configure startup
+COPY uid_entrypoint.sh /
+RUN chmod a=rx /uid_entrypoint.sh \
+    && chmod a+w /etc/passwd /etc/shadow
+ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
+
 # Configure local user
-RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && chown -R ${USER} /run/user/0 ${HOME} \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
-USER 0:0
-ENV XDG_RUNTIME_DIR=/run/user/0
+ENV USER app-user
+RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
+    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
 ENV TMPDIR=${HOME}/.local/tmp
-ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
+
 # Run as exec form, so that it can receive signals from Tini
+USER ${USER}
 CMD ["bash", "start.sh"]

src/docker/Dockerfile-jammy

@@ -4,7 +4,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0-jammy as base
 ENV DEBIAN_FRONTEND noninteractive
 
 # Configure local user
-ENV USER root
+USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -193,17 +193,23 @@ RUN rm arch.sh
 # Reset Python configs to default
 ENV PYTHONDONTWRITEBYTECODE=
 
+# Configure startup
+COPY uid_entrypoint.sh /
+RUN chmod a=rx /uid_entrypoint.sh \
+    && chmod a+w /etc/passwd /etc/shadow
+ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
+
 # Configure local user
-RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && chown -R ${USER} /run/user/0 ${HOME} \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
-USER 0:0
-ENV XDG_RUNTIME_DIR=/run/user/0
+ENV USER app-user
+RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
+    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
 ENV TMPDIR=${HOME}/.local/tmp
-ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
+
 # Run as exec form, so that it can receive signals from Tini
+USER ${USER}
 CMD ["bash", "start.sh"]

src/docker/Dockerfile-ubi8

@@ -1,7 +1,7 @@
 FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8 as base
 
 # Configure local user
-ENV USER root
+USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -184,17 +184,23 @@ RUN rm arch.sh
 # Reset Python configs to default
 ENV PYTHONDONTWRITEBYTECODE=
 
+# Configure startup
+COPY uid_entrypoint.sh /
+RUN chmod a=rx /uid_entrypoint.sh \
+    && chmod a+w /etc/passwd /etc/shadow
+ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
+
 # Configure local user
-RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && chown -R ${USER} /run/user/0 ${HOME} \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
-USER 0:0
-ENV XDG_RUNTIME_DIR=/run/user/0
+ENV USER app-user
+RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
+    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
 ENV TMPDIR=${HOME}/.local/tmp
-ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
+
 # Run as exec form, so that it can receive signals from Tini
+USER ${USER}
 CMD ["bash", "start.sh"]

src/docker/uid_entrypoint.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -e
+
+if ! whoami &>/dev/null; then
+  # Create arbitrary user at run-time
+  echo "${USER}:x:$(id -u):0:::${HOME}:/sbin/nologin" >>/etc/passwd
+  # Allow to log without password
+  echo "${USER}:!:18000:0:99999:7:::" >>/etc/shadow
+  # Reset permissions for local user
+  sudo chmod a-w /etc/passwd /etc/shadow
+
+  # Local config for BuildKit
+  export XDG_RUNTIME_DIR=/run/user/$(id -u)
+  export BUILDKIT_HOST=unix:///run/user/$(id -u)/buildkit/buildkitd.sock
+fi
+
+exec "$@"

src/helm/azure-pipelines-agent/templates/_helpers.tpl

@@ -82,14 +82,13 @@ Can be overriden by setting ".Values.securityContext".
 See: https://kubernetes.io/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers
 */}}
 {{- define "azure-pipelines-agent.defaultSecurityContext" -}}
-runAsNonRoot: false
+runAsNonRoot: true
 readOnlyRootFilesystem: false
 {{- if .Values.image.isWindows }}
 windowsOptions:
   runAsUserName: ContainerAdministrator
 {{- else }}
 allowPrivilegeEscalation: false
-runAsUser: 0
 capabilities:
   drop: ["ALL"]
 {{- end }}