Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add non-root user support #4397

Merged
merged 39 commits into from
Feb 15, 2023
Merged
Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
737fd53
Add 8.0 images with new non-root user
lbussell Jan 24, 2023
e71bc0b
Regenerate Dockerfiles
lbussell Jan 24, 2023
02e6241
All new dockerfiles build now
lbussell Jan 24, 2023
26c26ca
Add jammy-chiseled 8.0 runtime-deps files for new aspnet ports
lbussell Jan 27, 2023
fc176d8
Move aspnet sample back to net7.0
lbussell Jan 27, 2023
aee134e
Update environment variables for 8.0 dockerfiles
lbussell Jan 30, 2023
7773de5
WIP tests
lbussell Jan 30, 2023
670ec48
Try to clear tmp directory when running dotnet help
lbussell Feb 1, 2023
74311e6
Clean up Dockerfiles
lbussell Feb 7, 2023
452945b
Merge remote-tracking branch 'upstream/nightly' into feature/non-root…
lbussell Feb 7, 2023
a60cc4f
Remove commented out tests that don't run
lbussell Feb 7, 2023
dc8141a
Remove https port variables
lbussell Feb 7, 2023
3fced5d
.NET versions < 8.0 want the --urls argument
lbussell Feb 7, 2023
9130588
Address some review comments
lbussell Feb 7, 2023
0d68933
Clean up ports, run fx dependent test as non-root
lbussell Feb 7, 2023
cfff6d4
Fix debian home creation behavior
lbussell Feb 7, 2023
0ae0262
Fix aspnet sample base images
lbussell Feb 7, 2023
991f949
Add equals sign back in group add command
lbussell Feb 7, 2023
c0b37b0
I don't know why I swapped these arguments, swap them back
lbussell Feb 7, 2023
ebb8aed
Correctly pass through create-home variable to non-root-user template
lbussell Feb 7, 2023
b2e63de
Update image size baselines
lbussell Feb 8, 2023
bc2dcd8
Update templates to accommodate shadow-utils in Mariner
lbussell Feb 9, 2023
31aea92
Regenerate dockerfiles.
lbussell Feb 9, 2023
8984b4f
Remove redundant dependency list
lbussell Feb 9, 2023
afe6f03
Regenerate dockerfiles
lbussell Feb 9, 2023
20ea44f
Fix samples
lbussell Feb 9, 2023
98b3ba7
Fix Mariner home directory and fix formatting
lbussell Feb 9, 2023
26cad58
Remove --create-home from jammy and alpine
lbussell Feb 9, 2023
6d493d9
put additional packages in alphabetical order and clean up some logic
lbussell Feb 9, 2023
1a0fa36
Change aspnet port env var in 8.0+ monitor dockerfiles
lbussell Feb 10, 2023
8d775f5
Make version checks in tests more serviceable
lbussell Feb 10, 2023
c5aae01
Clean up version checks in tests
lbussell Feb 13, 2023
40d8c42
Look for new environment variable to be unset in monitor tests
lbussell Feb 13, 2023
a880a6a
Add args back
lbussell Feb 13, 2023
cc858da
Fix no-clean logic to only clean once in mariner 8.0
lbussell Feb 13, 2023
452e753
7.0 doesn't have non-root support
lbussell Feb 13, 2023
c0442d4
Install shadow-utils in line with non-root user in mariner
lbussell Feb 13, 2023
daaa7e3
Revert to old install-deps template
lbussell Feb 14, 2023
724e253
Fix indentation in install-deps template
lbussell Feb 15, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions README.runtime-deps.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,9 @@ Tags | Dockerfile | OS Version
Tags | Dockerfile | OS Version
-----------| -------------| -------------
8.0.0-preview.1-bookworm-slim-amd64, 8.0-preview-bookworm-slim-amd64, 8.0.0-preview.1, 8.0.0-preview.1-bookworm-slim, 8.0-preview, 8.0-preview-bookworm-slim, latest | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile) | Debian 12
8.0.0-preview.1-alpine3.17-amd64, 8.0-preview-alpine3.17-amd64, 8.0-preview-alpine-amd64, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/alpine3.17/amd64/Dockerfile) | Alpine 3.17
8.0.0-preview.1-jammy-amd64, 8.0-preview-jammy-amd64, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/jammy/amd64/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-jammy-chiseled-amd64, 8.0-preview-jammy-chiseled-amd64, 8.0.0-preview.1-jammy-chiseled, 8.0-preview-jammy-chiseled | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/jammy-chiseled/amd64/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-alpine3.17-amd64, 8.0-preview-alpine3.17-amd64, 8.0-preview-alpine-amd64, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile) | Alpine 3.17
8.0.0-preview.1-jammy-amd64, 8.0-preview-jammy-amd64, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/jammy/amd64/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-jammy-chiseled-amd64, 8.0-preview-jammy-chiseled-amd64, 8.0.0-preview.1-jammy-chiseled, 8.0-preview-jammy-chiseled | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile) | Ubuntu 22.04

## Linux arm64 Tags
Tags | Dockerfile | OS Version
Expand All @@ -83,9 +83,9 @@ Tags | Dockerfile | OS Version
Tags | Dockerfile | OS Version
-----------| -------------| -------------
8.0.0-preview.1-bookworm-slim-arm64v8, 8.0-preview-bookworm-slim-arm64v8, 8.0.0-preview.1, 8.0.0-preview.1-bookworm-slim, 8.0-preview, 8.0-preview-bookworm-slim, latest | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile) | Debian 12
8.0.0-preview.1-alpine3.17-arm64v8, 8.0-preview-alpine3.17-arm64v8, 8.0-preview-alpine-arm64v8, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/alpine3.17/arm64v8/Dockerfile) | Alpine 3.17
8.0.0-preview.1-jammy-arm64v8, 8.0-preview-jammy-arm64v8, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/jammy/arm64v8/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-jammy-chiseled-arm64v8, 8.0-preview-jammy-chiseled-arm64v8, 8.0.0-preview.1-jammy-chiseled, 8.0-preview-jammy-chiseled | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/jammy-chiseled/arm64v8/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-alpine3.17-arm64v8, 8.0-preview-alpine3.17-arm64v8, 8.0-preview-alpine-arm64v8, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile) | Alpine 3.17
8.0.0-preview.1-jammy-arm64v8, 8.0-preview-jammy-arm64v8, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-jammy-chiseled-arm64v8, 8.0-preview-jammy-chiseled-arm64v8, 8.0.0-preview.1-jammy-chiseled, 8.0-preview-jammy-chiseled | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile) | Ubuntu 22.04

## Linux arm32 Tags
Tags | Dockerfile | OS Version
Expand All @@ -104,8 +104,8 @@ Tags | Dockerfile | OS Version
Tags | Dockerfile | OS Version
-----------| -------------| -------------
8.0.0-preview.1-bookworm-slim-arm32v7, 8.0-preview-bookworm-slim-arm32v7, 8.0.0-preview.1, 8.0.0-preview.1-bookworm-slim, 8.0-preview, 8.0-preview-bookworm-slim, latest | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile) | Debian 12
8.0.0-preview.1-alpine3.17-arm32v7, 8.0-preview-alpine3.17-arm32v7, 8.0-preview-alpine-arm32v7, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/alpine3.17/arm32v7/Dockerfile) | Alpine 3.17
8.0.0-preview.1-jammy-arm32v7, 8.0-preview-jammy-arm32v7, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/6.0/jammy/arm32v7/Dockerfile) | Ubuntu 22.04
8.0.0-preview.1-alpine3.17-arm32v7, 8.0-preview-alpine3.17-arm32v7, 8.0-preview-alpine-arm32v7, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile) | Alpine 3.17
8.0.0-preview.1-jammy-arm32v7, 8.0-preview-jammy-arm32v7, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/nightly/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile) | Ubuntu 22.04

You can retrieve a list of all available tags for dotnet/nightly/runtime-deps at https://mcr.microsoft.com/v2/dotnet/nightly/runtime-deps/tags/list.
<!--End of generated tags-->
Expand Down
9 changes: 6 additions & 3 deletions eng/dockerfile-templates/Dockerfile.common-dotnet-envs
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,13 @@
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^
set isDistroless to find(OS_VERSION, "distroless") >= 0 || find(OS_VERSION, "chiseled") >= 0 ^
set lineContinuation to when(isWindows, "`", "\") ^
set port to when(isDistroless, "8080", "80")
set port to when(isDistroless, "8080", "80") ^
set httpPort to "8080" ^
set httpsPort to "8443"
}}ENV {{lineContinuation}}
# Configure web servers to bind to port {{port}} when present
ASPNETCORE_URLS=http://+:{{port}} {{lineContinuation}}
{{if dotnetVersion != "8.0":# Configure web servers to bind to port {{port}} when present
lbussell marked this conversation as resolved.
Show resolved Hide resolved
ASPNETCORE_URLS=http://+:{{port}} {{lineContinuation}}^else:# Configure web servers to bind to port {{httpPort}}/{{httpsPort}} when present
lbussell marked this conversation as resolved.
Show resolved Hide resolved
ASPNETCORE_HTTP_PORTS={{httpPort}} {{lineContinuation}}}}
{{InsertTemplate("Dockerfile.env.container")}}{{if isAlpine || (isDistroless && !(isMariner && find(OS_VERSION, "1.0") > 0)): {{lineContinuation}}
# Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20)
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true}}
13 changes: 12 additions & 1 deletion eng/dockerfile-templates/Dockerfile.linux.install-deps
Original file line number Diff line number Diff line change
Expand Up @@ -27,15 +27,26 @@
"openssl-libs",
"zlib"
],
when(dotnetVersion = "8.0",
[
"glibc",
"icu",
"krb5",
"libgcc",
"libstdc++",
"openssl-libs",
"shadow-utils",
"zlib"
]),
],
[
"glibc",
"icu",
"krb5",
"libgcc",
"libstdc++",
"openssl-libs",
"zlib"
])),
[
"libc6",
"libgcc1",
Expand Down
16 changes: 15 additions & 1 deletion eng/dockerfile-templates/runtime-deps/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,10 @@
set isRpmInstall to isMariner && dotnetVersion = "6.0" ^
set isSingleStage to !(isRpmInstall && isInternal) ^
set urlSuffix to when(isInternal, "$SAS_QUERY_STRING", "") ^
set rpmFilename to "dotnet-runtime-deps.rpm"
set rpmFilename to "dotnet-runtime-deps.rpm" ^
set username to "app" ^
set uid to 101 ^
set gid to uid
}}{{
if !isSingleStage:# Installer image
}}FROM {{baseImageRepo}}:{{baseImageTag}}{{if !isSingleStage: AS installer}}{{ if isInternal && isRpmInstall:
Expand Down Expand Up @@ -52,5 +55,16 @@ RUN {{InsertTemplate("../Dockerfile.linux.install-deps")}}
"url-suffix": urlSuffix,
"filename": rpmFilename
])}}
}}{{if dotnetVersion = "8.0":
lbussell marked this conversation as resolved.
Show resolved Hide resolved
# Create a non-root user and group
RUN {{InsertTemplate("Dockerfile.linux.non-root-user",
[
"staging-dir": distrolessStagingDir,
"exclusive": "false",
lbussell marked this conversation as resolved.
Show resolved Hide resolved
"name": username,
"uid": uid,
"gid": gid,
"create-home": "false"
lbussell marked this conversation as resolved.
Show resolved Hide resolved
]," ")}}
}}
{{InsertTemplate("../Dockerfile.common-dotnet-envs")}}
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,15 @@ FROM {{ARCH_VERSIONED}}/ubuntu:{{osVersionBase}} as builder
RUN apt-get update && \
apt-get install -y ca-certificates

RUN {{InsertTemplate("Dockerfile.linux.distroless-user",
[
{{InsertTemplate("Dockerfile.linux.distroless-user", [
"staging-dir": "/rootfs",
"exclusive": "true",
"create-dir": "true",
"name": username,
"uid": uid,
"gid": gid,
"create-home": "true"
],
" ")}}
])}}

COPY --from=chisel /opt/chisel/chisel /usr/bin/
RUN chisel cut --release "ubuntu-{{osVersionNumber}}" --root /rootfs \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,15 @@ RUN tmpManifestPath="/tmp/rpmmanifest" \

}}
# Create a non-root user and group
RUN {{InsertTemplate("Dockerfile.linux.distroless-user",
{{InsertTemplate("Dockerfile.linux.distroless-user",
[
"staging-dir": distrolessStagingDir,
"exclusive": dotnetVersion != "6.0",
"name": username,
"uid": uid,
"gid": gid,
"create-home": createUserHome
],
" ")}}
])}}

# Clean up staging
RUN rm -rf {{distrolessStagingDir}}/etc/{{when(find(OS_VERSION, "1.0") >= 0, "dnf", "tdnf")}} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,26 +9,22 @@
gid: ID of the group to be created
create-home (optional): Indicates whether a home directory should be created for the user ^
set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0
}}groupadd \
--system \
--gid={{ARGS["gid"]}} \
{{ARGS["name"]}} \
&& adduser \
--uid {{ARGS["uid"]}} \
--gid {{ARGS["gid"]}} \
--shell /bin/false \{{if !ARGS["create-home"]:
--no-create-home \}}
--system \
{{ARGS["name"]}} \{{
if ARGS["create-home"]:
&& install -d -m 0755 -o {{ARGS["uid"]}} -g {{ARGS["gid"]}} "{{ARGS["staging-dir"]}}/home/{{ARGS["name"]}}" \}}{{
if ARGS["exclusive"]:{{if ARGS["create-dir"]:
&& mkdir -p "{{ARGS["staging-dir"]}}/etc" \}}
&& rootOrAppRegex='@^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "{{ARGS["staging-dir"]}}/etc/passwd" \
&& cat /etc/group | grep $rootOrAppRegex > "{{ARGS["staging-dir"]}}/etc/group"^
else:
# Copy user/group info to staging
&& cp /etc/passwd {{ARGS["staging-dir"]}}/etc/passwd \
&& cp /etc/group {{ARGS["staging-dir"]}}/etc/group}}
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^
set isAlpine to find(OS_VERSION, "alpine") >= 0
}}RUN {{InsertTemplate("Dockerfile.linux.non-root-user",
[
"name": ARGS["name"],
"uid": ARGS["uid"],
"gid": ARGS["gid"],
"create-home": ARGS[["create-home"]]
]," ")}} \{{if ARGS["create-home"]:
&& install -d -m 0755 -o {{ARGS["uid"]}} -g {{ARGS["gid"]}} "{{ARGS["staging-dir"]}}/home/{{ARGS["name"]}}" \}}{{
if ARGS["exclusive"]:{{if ARGS["create-dir"]:
&& mkdir -p "{{ARGS["staging-dir"]}}/etc" \}}
&& rootOrAppRegex='@^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "{{ARGS["staging-dir"]}}/etc/passwd" \
&& cat /etc/group | grep $rootOrAppRegex > "{{ARGS["staging-dir"]}}/etc/group"^
else:
# Copy user/group info to staging
&& cp /etc/passwd {{ARGS["staging-dir"]}}/etc/passwd \
&& cp /etc/group {{ARGS["staging-dir"]}}/etc/group}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{
_ Configures a non-root user
_ ARGS:
name: Name of the user/group to create
uid: ID of the user to be created
gid: ID of the group to be created
create-home (optional): Indicates whether a home directory should be created for the user ^
set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
set isDebian to find(OS_ARCH_HYPHENATED, "Debian") >= 0 ^
set isMariner to find(OS_VERSION, "cbl-mariner") >= 0
}}{{if isAlpine:addgroup^else:groupadd}} \
--system \
--gid {{ARGS["gid"]}} \
{{ARGS["name"]}} \
&& {{if isDebian:useradd^else:adduser}} \
--uid {{ARGS["uid"]}} \
{{if isAlpine:--ingroup {{ARGS["name"]}}^else:--gid {{ARGS["gid"]}}}} \
--shell /bin/false \
--system \{{if !ARGS["create-home"]:
--no-create-home \}}
{{ARGS["name"]}}
4 changes: 2 additions & 2 deletions eng/dockerfile-templates/sdk/Dockerfile.envs
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
set isWindows to find(OS_VERSION, "nanoserver") >= 0 || find(OS_VERSION, "windowsservercore") >= 0 ^
set lineContinuation to when(isWindows, "`", "\")
}}ENV {{lineContinuation}}
}}ENV {{lineContinuation}}{{if dotnetVersion != "8.0":
lbussell marked this conversation as resolved.
Show resolved Hide resolved
# Unset ASPNETCORE_URLS from aspnet base image
ASPNETCORE_URLS= {{lineContinuation}}
ASPNETCORE_URLS= {{lineContinuation}}}}
# Do not generate certificate
DOTNET_GENERATE_ASPNET_CERTIFICATE=false {{lineContinuation}}
# Do not show first run text
Expand Down
3 changes: 2 additions & 1 deletion eng/dockerfile-templates/sdk/Dockerfile.linux.first-run
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{{
_ ARGS
append-cmd: Indicates whether to append the command to an existing command
append-cmd: Indicates whether to append the command to an existing command ^

set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".")
lbussell marked this conversation as resolved.
Show resolved Hide resolved
}}# Trigger first run experience by running arbitrary cmd
{{if ARGS["append-cmd"]:&&^else:RUN}} dotnet help
24 changes: 12 additions & 12 deletions manifest.json
Original file line number Diff line number Diff line change
Expand Up @@ -888,7 +888,7 @@
},
"platforms": [
{
"dockerfile": "src/runtime-deps/6.0/alpine3.17/amd64",
"dockerfile": "src/runtime-deps/8.0/alpine3.17/amd64",
"dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile",
"os": "linux",
"osVersion": "alpine3.17",
Expand All @@ -900,7 +900,7 @@
},
{
"architecture": "arm",
"dockerfile": "src/runtime-deps/6.0/alpine3.17/arm32v7",
"dockerfile": "src/runtime-deps/8.0/alpine3.17/arm32v7",
"dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile",
"os": "linux",
"osVersion": "alpine3.17",
Expand All @@ -913,7 +913,7 @@
},
{
"architecture": "arm64",
"dockerfile": "src/runtime-deps/6.0/alpine3.17/arm64v8",
"dockerfile": "src/runtime-deps/8.0/alpine3.17/arm64v8",
"dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile",
"os": "linux",
"osVersion": "alpine3.17",
Expand All @@ -934,7 +934,7 @@
},
"platforms": [
{
"dockerfile": "src/runtime-deps/6.0/jammy/amd64",
"dockerfile": "src/runtime-deps/8.0/jammy/amd64",
"dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile",
"os": "linux",
"osVersion": "jammy",
Expand All @@ -945,7 +945,7 @@
},
{
"architecture": "arm",
"dockerfile": "src/runtime-deps/6.0/jammy/arm32v7",
"dockerfile": "src/runtime-deps/8.0/jammy/arm32v7",
"dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile",
"os": "linux",
"osVersion": "jammy",
Expand All @@ -957,7 +957,7 @@
},
{
"architecture": "arm64",
"dockerfile": "src/runtime-deps/6.0/jammy/arm64v8",
"dockerfile": "src/runtime-deps/8.0/jammy/arm64v8",
"dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile",
"os": "linux",
"osVersion": "jammy",
Expand All @@ -977,7 +977,7 @@
},
"platforms": [
{
"dockerfile": "src/runtime-deps/6.0/jammy-chiseled/amd64",
"dockerfile": "src/runtime-deps/8.0/jammy-chiseled/amd64",
"dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu",
"os": "linux",
"osVersion": "jammy-chiseled",
Expand All @@ -997,7 +997,7 @@
},
{
"architecture": "arm64",
"dockerfile": "src/runtime-deps/6.0/jammy-chiseled/arm64v8",
"dockerfile": "src/runtime-deps/8.0/jammy-chiseled/arm64v8",
"dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu",
"os": "linux",
"osVersion": "jammy-chiseled",
Expand Down Expand Up @@ -1033,7 +1033,7 @@
},
"platforms": [
{
"dockerfile": "src/runtime-deps/7.0/cbl-mariner2.0/amd64",
"dockerfile": "src/runtime-deps/8.0/cbl-mariner2.0/amd64",
"dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile",
"os": "linux",
"osVersion": "cbl-mariner2.0",
Expand All @@ -1051,7 +1051,7 @@
},
{
"architecture": "arm64",
"dockerfile": "src/runtime-deps/7.0/cbl-mariner2.0/arm64v8",
"dockerfile": "src/runtime-deps/8.0/cbl-mariner2.0/arm64v8",
"dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile",
"os": "linux",
"osVersion": "cbl-mariner2.0",
Expand Down Expand Up @@ -1085,7 +1085,7 @@
},
"platforms": [
{
"dockerfile": "src/runtime-deps/7.0/cbl-mariner2.0-distroless/amd64",
"dockerfile": "src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64",
"dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner",
"os": "linux",
"osVersion": "cbl-mariner2.0-distroless",
Expand All @@ -1112,7 +1112,7 @@
},
{
"architecture": "arm64",
"dockerfile": "src/runtime-deps/7.0/cbl-mariner2.0-distroless/arm64v8",
"dockerfile": "src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8",
"dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner",
"os": "linux",
"osVersion": "cbl-mariner2.0-distroless",
Expand Down
4 changes: 2 additions & 2 deletions samples/aspnetapp/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# https://hub.docker.com/_/microsoft-dotnet
FROM mcr.microsoft.com/dotnet/sdk:7.0 AS build
FROM nonroot-aspnet as build
lbussell marked this conversation as resolved.
Show resolved Hide resolved
WORKDIR /source

# copy csproj and restore as distinct layers
Expand All @@ -11,7 +11,7 @@ COPY aspnetapp/. .
RUN dotnet publish -c Release -o /app --use-current-runtime --self-contained false --no-restore

# final stage/image
FROM mcr.microsoft.com/dotnet/aspnet:7.0
FROM nonroot-aspnet
WORKDIR /app
COPY --from=build /app .
ENTRYPOINT ["dotnet", "aspnetapp.dll"]
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,14 @@ RUN mkdir /staging \
# Create a non-root user and group
RUN groupadd \
--system \
--gid=1000 \
--gid 1000 \
lbussell marked this conversation as resolved.
Show resolved Hide resolved
app \
&& adduser \
--uid 1000 \
--gid 1000 \
--shell /bin/false \
--no-create-home \
--system \
--no-create-home \
app \
# Copy user/group info to staging
&& cp /etc/passwd /staging/etc/passwd \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,14 +32,14 @@ RUN tmpManifestPath="/tmp/rpmmanifest" \
# Create a non-root user and group
RUN groupadd \
--system \
--gid=101 \
--gid 101 \
app \
&& adduser \
--uid 101 \
--gid 101 \
--shell /bin/false \
--no-create-home \
--system \
--no-create-home \
app \
# Copy user/group info to staging
&& cp /etc/passwd /staging/etc/passwd \
Expand Down
Loading