Description
When using the integrated container publishing feature in the .NET SDK 8(via dotnet publish /t:PublishContainer) without a custom Dockerfile, the SDK creates a container image containing the published output files. However, these files and directories inside the image are owned by root:root and are not automatically chowned to a non-root user such as app.
This leads to the following issues:
If the base image or container runtime runs the container as a non-root user (e.g., app), the application cannot access files due to insufficient ownership permissions.
The application may fail to start or fail to read configuration files like appsettings.json.
Users are forced to create custom Dockerfiles or custom base images to manually fix ownership, complicating the container publishing workflow.
Steps to Reproduce:
Create any .NET project.
Run container publish without a Dockerfile:
dotnet publish -c Release /t:PublishContainer -p:ContainerBaseImage=mcr.microsoft.com/dotnet/aspnet:8.0
Inspect the file ownership inside the created container image; files are owned by root:root.
Run the container as a non-root user (e.g., app) and observe permission errors accessing files.
Expected Behavior:
The .NET SDK should automatically chown files and directories inside the container image to a non-root user (e.g., app:app), or provide an option to configure the user and file ownership during publish.
Alternatively, clear documentation and guidance should be provided regarding file ownership and running containers as non-root users.
Actual Behavior:
Files and directories in the container image created by dotnet publish are owned by root:root.
No built-in option exists in the integrated container publish to configure file ownership or user.
Users must resort to custom Dockerfiles or base images to fix ownership issues.