From b161548e5c1c1d9d3999f6960d11ca1094d77f4d Mon Sep 17 00:00:00 2001 From: "Ian H. Pittwood" Date: Thu, 7 May 2026 09:59:11 -0600 Subject: [PATCH 1/3] Remove `ubuntu` builtin user from WAML image to free up 1000 uid --- .../2026.04/Containerfile.ubuntu2404.min | 4 ++++ .../2026.04/Containerfile.ubuntu2404.std | 4 ++++ .../template/Containerfile.ubuntu2404.jinja2 | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.min b/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.min index e221093..451d8db 100644 --- a/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.min +++ b/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.min @@ -32,6 +32,10 @@ ENV DIAGNOSTIC_ONLY=false COPY --chmod=0644 workbench-for-microsoft-azure-ml/2026.04/conf/license-manager/TurboActivate.dat /opt/rstudio-license/license-manager.conf SHELL ["/bin/bash", "-o", "pipefail", "-c"] +### Remove ubuntu user ### +# Ubuntu 24.04 assigns the uid 1000 to the ubuntu user. This is incompatible with the hardcoded PUID=1000 environment +# variable set by Azure ML. By removing the ubuntu user, we can free up the 1000 uid entirely. +RUN userdel -r ubuntu ### Setup environment ### RUN apt-get update -yqq --fix-missing && \ diff --git a/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.std b/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.std index f457f00..ab18db8 100644 --- a/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.std +++ b/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.std @@ -32,6 +32,10 @@ ENV DIAGNOSTIC_ONLY=false COPY --chmod=0644 workbench-for-microsoft-azure-ml/2026.04/conf/license-manager/TurboActivate.dat /opt/rstudio-license/license-manager.conf SHELL ["/bin/bash", "-o", "pipefail", "-c"] +### Remove ubuntu user ### +# Ubuntu 24.04 assigns the uid 1000 to the ubuntu user. This is incompatible with the hardcoded PUID=1000 environment +# variable set by Azure ML. By removing the ubuntu user, we can free up the 1000 uid entirely. +RUN userdel -r ubuntu ### Setup environment ### RUN apt-get update -yqq --fix-missing && \ diff --git a/workbench-for-microsoft-azure-ml/template/Containerfile.ubuntu2404.jinja2 b/workbench-for-microsoft-azure-ml/template/Containerfile.ubuntu2404.jinja2 index 38826f2..f3063cf 100644 --- a/workbench-for-microsoft-azure-ml/template/Containerfile.ubuntu2404.jinja2 +++ b/workbench-for-microsoft-azure-ml/template/Containerfile.ubuntu2404.jinja2 @@ -34,6 +34,10 @@ ENV DIAGNOSTIC_ONLY=false COPY --chmod=0644 {{ Path.Version }}/conf/license-manager/TurboActivate.dat /opt/rstudio-license/license-manager.conf SHELL ["/bin/bash", "-o", "pipefail", "-c"] +### Remove ubuntu user ### +# Ubuntu 24.04 assigns the uid 1000 to the ubuntu user. This is incompatible with the hardcoded PUID=1000 environment +# variable set by Azure ML. By removing the ubuntu user, we can free up the 1000 uid entirely. +RUN userdel -r ubuntu ### Setup environment ### {{ apt.run_setup() }} From f8fc4ed789d4465b662820ad06b2a4bae2b32c15 Mon Sep 17 00:00:00 2001 From: "Ian H. Pittwood" Date: Thu, 7 May 2026 09:59:48 -0600 Subject: [PATCH 2/3] Add `-eu` to SHELL delcarations Add SHELL declaration to clamav stage --- .../2026.04/Containerfile.ubuntu2404.min | 5 ++++- .../2026.04/Containerfile.ubuntu2404.std | 5 ++++- .../template/Containerfile.ubuntu2404.jinja2 | 5 ++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.min b/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.min index 451d8db..48e9493 100644 --- a/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.min +++ b/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.min @@ -31,7 +31,8 @@ ENV DIAGNOSTIC_ONLY=false COPY --chmod=0644 workbench-for-microsoft-azure-ml/2026.04/conf/license-manager/TurboActivate.dat /opt/rstudio-license/license-manager.conf -SHELL ["/bin/bash", "-o", "pipefail", "-c"] +SHELL ["/bin/bash", "-euo", "pipefail", "-c"] + ### Remove ubuntu user ### # Ubuntu 24.04 assigns the uid 1000 to the ubuntu user. This is incompatible with the hardcoded PUID=1000 environment # variable set by Azure ML. By removing the ubuntu user, we can free up the 1000 uid entirely. @@ -102,6 +103,8 @@ CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] FROM build AS clamav +SHELL ["/bin/bash", "-euo", "pipefail", "-c"] + # Set up ClamAV RUN apt-get update -yqq && \ apt-get install -yqq --no-install-recommends \ diff --git a/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.std b/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.std index ab18db8..51902a8 100644 --- a/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.std +++ b/workbench-for-microsoft-azure-ml/2026.04/Containerfile.ubuntu2404.std @@ -31,7 +31,8 @@ ENV DIAGNOSTIC_ONLY=false COPY --chmod=0644 workbench-for-microsoft-azure-ml/2026.04/conf/license-manager/TurboActivate.dat /opt/rstudio-license/license-manager.conf -SHELL ["/bin/bash", "-o", "pipefail", "-c"] +SHELL ["/bin/bash", "-euo", "pipefail", "-c"] + ### Remove ubuntu user ### # Ubuntu 24.04 assigns the uid 1000 to the ubuntu user. This is incompatible with the hardcoded PUID=1000 environment # variable set by Azure ML. By removing the ubuntu user, we can free up the 1000 uid entirely. @@ -155,6 +156,8 @@ CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] FROM build AS clamav +SHELL ["/bin/bash", "-euo", "pipefail", "-c"] + # Set up ClamAV RUN apt-get update -yqq && \ apt-get install -yqq --no-install-recommends \ diff --git a/workbench-for-microsoft-azure-ml/template/Containerfile.ubuntu2404.jinja2 b/workbench-for-microsoft-azure-ml/template/Containerfile.ubuntu2404.jinja2 index f3063cf..b826221 100644 --- a/workbench-for-microsoft-azure-ml/template/Containerfile.ubuntu2404.jinja2 +++ b/workbench-for-microsoft-azure-ml/template/Containerfile.ubuntu2404.jinja2 @@ -33,7 +33,8 @@ ENV DIAGNOSTIC_ONLY=false COPY --chmod=0644 {{ Path.Version }}/conf/license-manager/TurboActivate.dat /opt/rstudio-license/license-manager.conf -SHELL ["/bin/bash", "-o", "pipefail", "-c"] +SHELL ["/bin/bash", "-euo", "pipefail", "-c"] + ### Remove ubuntu user ### # Ubuntu 24.04 assigns the uid 1000 to the ubuntu user. This is incompatible with the hardcoded PUID=1000 environment # variable set by Azure ML. By removing the ubuntu user, we can free up the 1000 uid entirely. @@ -136,6 +137,8 @@ CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"] FROM build AS clamav +SHELL ["/bin/bash", "-euo", "pipefail", "-c"] + # Set up ClamAV {{ apt.run_install("clamav") }} From 1699a3b4afc35f41c1f21048d64658e8ef79f2e9 Mon Sep 17 00:00:00 2001 From: "Ian H. Pittwood" Date: Thu, 7 May 2026 10:00:14 -0600 Subject: [PATCH 3/3] Add checks for nginx configs in WAML image --- workbench-for-microsoft-azure-ml/2026.04/test/goss.yaml | 8 ++++++++ .../template/test/goss.yaml.jinja2 | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/workbench-for-microsoft-azure-ml/2026.04/test/goss.yaml b/workbench-for-microsoft-azure-ml/2026.04/test/goss.yaml index ff253a7..160fe6d 100644 --- a/workbench-for-microsoft-azure-ml/2026.04/test/goss.yaml +++ b/workbench-for-microsoft-azure-ml/2026.04/test/goss.yaml @@ -158,6 +158,14 @@ file: {{ end }} + # Check that Nginx configs are included + /etc/rstudio/nginx.site.conf: + exists: true + /etc/rstudio/nginx.server.conf: + exists: true + /etc/rstudio/nginx.http.conf: + exists: true + command: "Ensure rstudio-server has permissions to log directory": exec: su rstudio-server -c 'touch /var/lib/rstudio-server/monitor/log/rstudio-server.log' diff --git a/workbench-for-microsoft-azure-ml/template/test/goss.yaml.jinja2 b/workbench-for-microsoft-azure-ml/template/test/goss.yaml.jinja2 index ea2a4dc..bfe831a 100644 --- a/workbench-for-microsoft-azure-ml/template/test/goss.yaml.jinja2 +++ b/workbench-for-microsoft-azure-ml/template/test/goss.yaml.jinja2 @@ -170,6 +170,14 @@ file: {{ end }} {% endraw %} + # Check that Nginx configs are included + /etc/rstudio/nginx.site.conf: + exists: true + /etc/rstudio/nginx.server.conf: + exists: true + /etc/rstudio/nginx.http.conf: + exists: true + command: "Ensure rstudio-server has permissions to log directory": exec: su rstudio-server -c 'touch /var/lib/rstudio-server/monitor/log/rstudio-server.log'