diff --git a/e2e/rust/tests/custom_image.rs b/e2e/rust/tests/custom_image.rs index 14fc3f47a..f4b682d3d 100644 --- a/e2e/rust/tests/custom_image.rs +++ b/e2e/rust/tests/custom_image.rs @@ -22,8 +22,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends iproute2 \ && rm -rf /var/lib/apt/lists/* # Create the sandbox user/group so the supervisor can switch to it. -RUN groupadd -g 1000 sandbox && \ - useradd -m -u 1000 -g sandbox sandbox +# Use a high UID range to avoid conflicts with host users when running without +# user namespace remapping (UID in container = UID on host). +RUN groupadd -g 1000660000 sandbox && \ + useradd -m -u 1000660000 -g sandbox sandbox # Write a marker file so we can verify this is our custom image. RUN echo "custom-image-e2e-marker" > /opt/marker.txt diff --git a/examples/bring-your-own-container/Dockerfile b/examples/bring-your-own-container/Dockerfile index 296a22f20..4e8879253 100644 --- a/examples/bring-your-own-container/Dockerfile +++ b/examples/bring-your-own-container/Dockerfile @@ -14,9 +14,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ curl iproute2 iptables \ && rm -rf /var/lib/apt/lists/* -# Create the sandbox user (uid/gid 1000) for non-root execution. -RUN groupadd -g 1000 sandbox && \ - useradd -m -u 1000 -g sandbox sandbox +# Create the sandbox user for non-root execution. +# Use a high UID range to avoid conflicts with host users when running without +# user namespace remapping (UID in container = UID on host). +RUN groupadd -g 1000660000 sandbox && \ + useradd -m -u 1000660000 -g sandbox sandbox WORKDIR /sandbox COPY app.py . diff --git a/examples/bring-your-own-container/README.md b/examples/bring-your-own-container/README.md index 9322938ea..0631ded19 100644 --- a/examples/bring-your-own-container/README.md +++ b/examples/bring-your-own-container/README.md @@ -59,7 +59,9 @@ key requirements are: - **Pass your start command explicitly** — use `-- ` on the CLI. The image's `CMD` / `ENTRYPOINT` is replaced by the sandbox supervisor at runtime. -- **Create a `sandbox` user** (uid/gid 1000) for non-root execution. +- **Create a `sandbox` user** (uid/gid 1000660000) for non-root execution. + Use a high UID (1000000000+) to avoid conflicts with host users when running + without user namespace remapping. - **Install `iproute2`** for full network namespace isolation. - **Use a standard Linux base image** — distroless and `FROM scratch` images are not supported.