Closed JohnSchmeichel closed 3 months ago
As for a fix here, ideally the credential provider can be installed as ContainerUser
without elevating, but there are a few unfortunate limitations here:
ContainerUser
doesn't have any access to delete the temp files it creates (hence the icacls workaround to resolve this, granting read/delete permissions).The core problem imho is that these script-based install mechanisms leave a lot to be desired and run into these platform limitations both on capability and differences. Using a mechanism like the proposed https://github.com/NuGet/Home/issues/12567 would make all of these problems obsolete and allow the credential provider install to work cross-platform.
In the near term however, I'd propose the following changes to keep the spirit of the ContainerUser
permission model (and the docker sample's goal of building within the container as a low-privileged account in a 2-phase build for isolation):
Able to do this in the sample itself with https://github.com/dotnet/dotnet-docker/pull/4828
This issue has had no activity in 90 days. Please comment if it is not actually stale.
not stale.
This issue has had no activity in 90 days. Please comment if it is not actually stale.
maybe stale?
This issue has had no activity in 90 days. Please comment if it is not actually stale.
Starting a new issue as a follow up from https://github.com/microsoft/artifacts-credprovider/issues/446 where the Windows docker sample does not work. When following the sample the docker build may end up with the error
C:\app\dotnetapp.csproj : error NU1301: Unable to load the service index for source https://pkgs.dev.azure.com/<org>/<project>/_packaging/<feed>/nuget/v3/index.json.
For Windows Nano Server based images docker runs as
ContainerUser
by default, which is unable to install the credential provider as detailed in https://github.com/microsoft/artifacts-credprovider/issues/201. As a workaround theContainerAdministrator
user is used to install the credential provider, however doing so installs into the C:\Users\ContainerAdministrator\.nuget directory, which is not visible when the build later runs asContainerUser
. Hence the NuGet failures trying to load the service index.Workarounds
Have few workarounds here until this can be fixed and the sample updated (note this issue only exists on Windows Nano Server containers as it runs as
ContainerUser
by default):Option 1
Move the
USER ContainerUser
instruction after theRUN dotnet ...
instructions. This runs the build asContainerAdministrator
which will be able to see and use the installed credential provider. This may or may not be desirable.Option 2
Use the following docker instructions to grant the additional permissions required to run the credential provider script as
ContainerUser
. This also may not be desirable.