From 906424e74a5b1f9c084565a07dda98afdffae04c Mon Sep 17 00:00:00 2001 From: Derek Carr Date: Sat, 25 Apr 2026 12:56:05 -0400 Subject: [PATCH] fix(e2e): use high UID range to avoid host user conflicts Change sandbox user UID from 1000 to 1000660000 in custom image examples and E2E tests. Using a high UID range (1000000000+) prevents conflicts with host users when running without user namespace remapping, where container UIDs map directly to host UIDs. This resolves fork failures caused by RLIMIT_NPROC enforcement when the host user already has many threads running. Signed-off-by: Derek Carr --- e2e/rust/tests/custom_image.rs | 6 ++++-- examples/bring-your-own-container/Dockerfile | 8 +++++--- examples/bring-your-own-container/README.md | 4 +++- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/e2e/rust/tests/custom_image.rs b/e2e/rust/tests/custom_image.rs index 14fc3f47a..f4b682d3d 100644 --- a/e2e/rust/tests/custom_image.rs +++ b/e2e/rust/tests/custom_image.rs @@ -22,8 +22,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends iproute2 \ && rm -rf /var/lib/apt/lists/* # Create the sandbox user/group so the supervisor can switch to it. -RUN groupadd -g 1000 sandbox && \ - useradd -m -u 1000 -g sandbox sandbox +# Use a high UID range to avoid conflicts with host users when running without +# user namespace remapping (UID in container = UID on host). +RUN groupadd -g 1000660000 sandbox && \ + useradd -m -u 1000660000 -g sandbox sandbox # Write a marker file so we can verify this is our custom image. RUN echo "custom-image-e2e-marker" > /opt/marker.txt diff --git a/examples/bring-your-own-container/Dockerfile b/examples/bring-your-own-container/Dockerfile index 296a22f20..4e8879253 100644 --- a/examples/bring-your-own-container/Dockerfile +++ b/examples/bring-your-own-container/Dockerfile @@ -14,9 +14,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ curl iproute2 iptables \ && rm -rf /var/lib/apt/lists/* -# Create the sandbox user (uid/gid 1000) for non-root execution. -RUN groupadd -g 1000 sandbox && \ - useradd -m -u 1000 -g sandbox sandbox +# Create the sandbox user for non-root execution. +# Use a high UID range to avoid conflicts with host users when running without +# user namespace remapping (UID in container = UID on host). +RUN groupadd -g 1000660000 sandbox && \ + useradd -m -u 1000660000 -g sandbox sandbox WORKDIR /sandbox COPY app.py . diff --git a/examples/bring-your-own-container/README.md b/examples/bring-your-own-container/README.md index 9322938ea..0631ded19 100644 --- a/examples/bring-your-own-container/README.md +++ b/examples/bring-your-own-container/README.md @@ -59,7 +59,9 @@ key requirements are: - **Pass your start command explicitly** — use `-- ` on the CLI. The image's `CMD` / `ENTRYPOINT` is replaced by the sandbox supervisor at runtime. -- **Create a `sandbox` user** (uid/gid 1000) for non-root execution. +- **Create a `sandbox` user** (uid/gid 1000660000) for non-root execution. + Use a high UID (1000000000+) to avoid conflicts with host users when running + without user namespace remapping. - **Install `iproute2`** for full network namespace isolation. - **Use a standard Linux base image** — distroless and `FROM scratch` images are not supported.