What's changing
For security hardening, GPU container workloads will no longer be allowed to run as root. If your container resolves to UID 0 — whether from the image's default USER or from an explicit runAsUser: 0 — the platform will override it to a non-root UID. Anything that genuinely requires root inside the container (e.g. runtime apt-get/apk installs, modifying system files your user doesn't own) will start failing. Binding to privileged ports (<1024) continues to work.
Action needed
Update your container image so it works as a non-root user before the rollout reaches your region:
- Add a non-root user in your Dockerfile (e.g. RUN adduser --system --uid 1000 app && USER 1000), or set a non-zero runAsUser in your container spec.
- Move any package installs to image build time rather than container startup.
- For runtime writes, use your working directory or /tmp (auto-chowned by the platform to the injected UID) or a mounted volume; avoid writing to root-owned paths elsewhere in the rootfs.
- Redeploy and test your revision.
Timeline
These updates will come into effect starting June 26
Help and Support
If you have questions contact us at acapms@microsoft.com.
What's changing
For security hardening, GPU container workloads will no longer be allowed to run as root. If your container resolves to UID 0 — whether from the image's default USER or from an explicit runAsUser: 0 — the platform will override it to a non-root UID. Anything that genuinely requires root inside the container (e.g. runtime apt-get/apk installs, modifying system files your user doesn't own) will start failing. Binding to privileged ports (<1024) continues to work.
Action needed
Update your container image so it works as a non-root user before the rollout reaches your region:
Timeline
These updates will come into effect starting June 26
Help and Support
If you have questions contact us at acapms@microsoft.com.