From b9bf5539c5db2225fd2fe0f902d5f7ea8bef1355 Mon Sep 17 00:00:00 2001 From: Logan Bussell Date: Wed, 15 Feb 2023 13:06:17 -0800 Subject: [PATCH] Add non-root user support (#4397) (cherry picked from commit 4fced561fa9c6c5d0ccb7daf15cf8d99eae2dadb) --- README.runtime-deps.md | 12 +-- .../Dockerfile.common-dotnet-envs | 4 +- .../Dockerfile.linux.install-deps | 22 +++--- .../Dockerfile.linux.install-pkgs | 7 +- .../Dockerfile.linux.remove-pkgs | 29 +++++++ .../monitor/Dockerfile.envs | 5 +- .../runtime-deps/Dockerfile | 15 +++- .../runtime-deps/Dockerfile.chiseled-ubuntu | 6 +- .../Dockerfile.distroless-mariner | 5 +- .../Dockerfile.linux.distroless-user | 44 +++++------ .../Dockerfile.linux.non-root-user | 32 ++++++++ eng/dockerfile-templates/sdk/Dockerfile.envs | 4 +- .../sdk/Dockerfile.linux.first-run | 1 - manifest.json | 20 ++--- .../cbl-mariner-distroless/amd64/Dockerfile | 4 +- .../cbl-mariner-distroless/arm64v8/Dockerfile | 4 +- .../8.0/ubuntu-chiseled/amd64/Dockerfile | 4 +- .../8.0/ubuntu-chiseled/arm64v8/Dockerfile | 4 +- .../8.0/alpine3.17/amd64/Dockerfile | 32 ++++++++ .../8.0/alpine3.17/arm32v7/Dockerfile | 32 ++++++++ .../8.0/alpine3.17/arm64v8/Dockerfile | 32 ++++++++ .../8.0/bookworm-slim/amd64/Dockerfile | 17 ++++- .../8.0/bookworm-slim/arm32v7/Dockerfile | 17 ++++- .../8.0/bookworm-slim/arm64v8/Dockerfile | 17 ++++- .../amd64/Dockerfile | 75 +++++++++++++++++++ .../arm64v8/Dockerfile | 75 +++++++++++++++++++ .../8.0/cbl-mariner2.0/amd64/Dockerfile | 38 ++++++++++ .../8.0/cbl-mariner2.0/arm64v8/Dockerfile | 38 ++++++++++ .../8.0/jammy-chiseled/amd64/Dockerfile | 2 +- .../8.0/jammy-chiseled/arm64v8/Dockerfile | 2 +- src/runtime-deps/8.0/jammy/amd64/Dockerfile | 33 ++++++++ src/runtime-deps/8.0/jammy/arm32v7/Dockerfile | 33 ++++++++ src/runtime-deps/8.0/jammy/arm64v8/Dockerfile | 33 ++++++++ .../8.0/nanoserver-1809/amd64/Dockerfile | 4 +- .../8.0/nanoserver-ltsc2022/amd64/Dockerfile | 4 +- .../amd64/Dockerfile | 4 +- .../amd64/Dockerfile | 4 +- src/sdk/8.0/alpine3.17/amd64/Dockerfile | 2 - src/sdk/8.0/alpine3.17/arm32v7/Dockerfile | 2 - src/sdk/8.0/alpine3.17/arm64v8/Dockerfile | 2 - src/sdk/8.0/bookworm-slim/amd64/Dockerfile | 2 - src/sdk/8.0/bookworm-slim/arm32v7/Dockerfile | 2 - src/sdk/8.0/bookworm-slim/arm64v8/Dockerfile | 2 - src/sdk/8.0/cbl-mariner2.0/amd64/Dockerfile | 2 - src/sdk/8.0/cbl-mariner2.0/arm64v8/Dockerfile | 2 - src/sdk/8.0/jammy/amd64/Dockerfile | 2 - src/sdk/8.0/jammy/arm32v7/Dockerfile | 2 - src/sdk/8.0/jammy/arm64v8/Dockerfile | 2 - src/sdk/8.0/nanoserver-1809/amd64/Dockerfile | 2 - .../8.0/nanoserver-ltsc2022/amd64/Dockerfile | 2 - .../amd64/Dockerfile | 2 - .../amd64/Dockerfile | 2 - .../CommonRuntimeImageTests.cs | 10 ++- .../ImageData.cs | 3 +- .../ImageScenarioVerifier.cs | 51 +++++++++---- .../MonitorImageTests.cs | 8 +- .../ProductImageData.cs | 2 + .../SdkImageTests.cs | 5 -- .../performance/ImageSize.nightly.linux.json | 14 +++- 59 files changed, 690 insertions(+), 147 deletions(-) create mode 100644 eng/dockerfile-templates/Dockerfile.linux.remove-pkgs create mode 100644 eng/dockerfile-templates/runtime-deps/Dockerfile.linux.non-root-user create mode 100644 src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile create mode 100644 src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile create mode 100644 src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile create mode 100644 src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile create mode 100644 src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile create mode 100644 src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile create mode 100644 src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile create mode 100644 src/runtime-deps/8.0/jammy/amd64/Dockerfile create mode 100644 src/runtime-deps/8.0/jammy/arm32v7/Dockerfile create mode 100644 src/runtime-deps/8.0/jammy/arm64v8/Dockerfile diff --git a/README.runtime-deps.md b/README.runtime-deps.md index 64bef00450..73e7d9e5b4 100644 --- a/README.runtime-deps.md +++ b/README.runtime-deps.md @@ -53,8 +53,8 @@ Tags | Dockerfile | OS Version Tags | Dockerfile | OS Version -----------| -------------| ------------- 8.0.0-preview.1-bookworm-slim-amd64, 8.0-preview-bookworm-slim-amd64, 8.0.0-preview.1, 8.0.0-preview.1-bookworm-slim, 8.0-preview, 8.0-preview-bookworm-slim | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile) | Debian 12 -8.0.0-preview.1-alpine3.17-amd64, 8.0-preview-alpine3.17-amd64, 8.0-preview-alpine-amd64, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/6.0/alpine3.17/amd64/Dockerfile) | Alpine 3.17 -8.0.0-preview.1-jammy-amd64, 8.0-preview-jammy-amd64, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/6.0/jammy/amd64/Dockerfile) | Ubuntu 22.04 +8.0.0-preview.1-alpine3.17-amd64, 8.0-preview-alpine3.17-amd64, 8.0-preview-alpine-amd64, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile) | Alpine 3.17 +8.0.0-preview.1-jammy-amd64, 8.0-preview-jammy-amd64, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/jammy/amd64/Dockerfile) | Ubuntu 22.04 8.0.0-preview.1-jammy-chiseled-amd64, 8.0-preview-jammy-chiseled-amd64, 8.0.0-preview.1-jammy-chiseled, 8.0-preview-jammy-chiseled | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile) | Ubuntu 22.04 ## Linux arm64 Tags @@ -74,8 +74,8 @@ Tags | Dockerfile | OS Version Tags | Dockerfile | OS Version -----------| -------------| ------------- 8.0.0-preview.1-bookworm-slim-arm64v8, 8.0-preview-bookworm-slim-arm64v8, 8.0.0-preview.1, 8.0.0-preview.1-bookworm-slim, 8.0-preview, 8.0-preview-bookworm-slim | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile) | Debian 12 -8.0.0-preview.1-alpine3.17-arm64v8, 8.0-preview-alpine3.17-arm64v8, 8.0-preview-alpine-arm64v8, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/6.0/alpine3.17/arm64v8/Dockerfile) | Alpine 3.17 -8.0.0-preview.1-jammy-arm64v8, 8.0-preview-jammy-arm64v8, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/6.0/jammy/arm64v8/Dockerfile) | Ubuntu 22.04 +8.0.0-preview.1-alpine3.17-arm64v8, 8.0-preview-alpine3.17-arm64v8, 8.0-preview-alpine-arm64v8, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile) | Alpine 3.17 +8.0.0-preview.1-jammy-arm64v8, 8.0-preview-jammy-arm64v8, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile) | Ubuntu 22.04 8.0.0-preview.1-jammy-chiseled-arm64v8, 8.0-preview-jammy-chiseled-arm64v8, 8.0.0-preview.1-jammy-chiseled, 8.0-preview-jammy-chiseled | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile) | Ubuntu 22.04 ## Linux arm32 Tags @@ -95,8 +95,8 @@ Tags | Dockerfile | OS Version Tags | Dockerfile | OS Version -----------| -------------| ------------- 8.0.0-preview.1-bookworm-slim-arm32v7, 8.0-preview-bookworm-slim-arm32v7, 8.0.0-preview.1, 8.0.0-preview.1-bookworm-slim, 8.0-preview, 8.0-preview-bookworm-slim | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile) | Debian 12 -8.0.0-preview.1-alpine3.17-arm32v7, 8.0-preview-alpine3.17-arm32v7, 8.0-preview-alpine-arm32v7, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/6.0/alpine3.17/arm32v7/Dockerfile) | Alpine 3.17 -8.0.0-preview.1-jammy-arm32v7, 8.0-preview-jammy-arm32v7, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/6.0/jammy/arm32v7/Dockerfile) | Ubuntu 22.04 +8.0.0-preview.1-alpine3.17-arm32v7, 8.0-preview-alpine3.17-arm32v7, 8.0-preview-alpine-arm32v7, 8.0.0-preview.1-alpine3.17, 8.0-preview-alpine3.17, 8.0-preview-alpine | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile) | Alpine 3.17 +8.0.0-preview.1-jammy-arm32v7, 8.0-preview-jammy-arm32v7, 8.0.0-preview.1-jammy, 8.0-preview-jammy | [Dockerfile](https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile) | Ubuntu 22.04 You can retrieve a list of all available tags for dotnet/runtime-deps at https://mcr.microsoft.com/v2/dotnet/runtime-deps/tags/list. diff --git a/eng/dockerfile-templates/Dockerfile.common-dotnet-envs b/eng/dockerfile-templates/Dockerfile.common-dotnet-envs index 0c929cfe65..3771ea2d30 100644 --- a/eng/dockerfile-templates/Dockerfile.common-dotnet-envs +++ b/eng/dockerfile-templates/Dockerfile.common-dotnet-envs @@ -5,10 +5,10 @@ set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^ set isDistroless to find(OS_VERSION, "distroless") >= 0 || find(OS_VERSION, "chiseled") >= 0 ^ set lineContinuation to when(isWindows, "`", "\") ^ - set port to when(isDistroless, "8080", "80") + set port to when(isDistroless || (dotnetVersion != "6.0" && dotnetVersion != "7.0"), "8080", "80") }}ENV {{lineContinuation}} # Configure web servers to bind to port {{port}} when present - ASPNETCORE_URLS=http://+:{{port}} {{lineContinuation}} + {{if dotnetVersion = "6.0" || dotnetVersion = "7.0":ASPNETCORE_URLS=http://+:{{port}}^else:ASPNETCORE_HTTP_PORTS={{port}}}} {{lineContinuation}} {{InsertTemplate("Dockerfile.env.container")}}{{if isAlpine || (isDistroless && !(isMariner && find(OS_VERSION, "1.0") > 0)): {{lineContinuation}} # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true}} diff --git a/eng/dockerfile-templates/Dockerfile.linux.install-deps b/eng/dockerfile-templates/Dockerfile.linux.install-deps index 6b4a4a0191..e24367de56 100644 --- a/eng/dockerfile-templates/Dockerfile.linux.install-deps +++ b/eng/dockerfile-templates/Dockerfile.linux.install-deps @@ -45,17 +45,17 @@ "libstdc++6", "zlib1g" ])) ^ - set certsPkgPrefix to when(isMariner, - [ - when(isDistrolessMariner, "prebuilt-ca-certificates", "ca-certificates"), - "", - dotnetDepsComment - ], - [ - "ca-certificates", - "", - dotnetDepsComment - ]) ^ + set certsPkgPrefix to when(isMariner, + [ + when(isDistrolessMariner, "prebuilt-ca-certificates", "ca-certificates"), + "", + dotnetDepsComment + ], + [ + "ca-certificates", + "", + dotnetDepsComment + ]) ^ set pkgs to when(ARGS["isSdk"], pkgs, cat(certsPkgPrefix, pkgs)) }}{{InsertTemplate("Dockerfile.linux.install-pkgs", [ diff --git a/eng/dockerfile-templates/Dockerfile.linux.install-pkgs b/eng/dockerfile-templates/Dockerfile.linux.install-pkgs index 68ba0aa31f..b7306dcdef 100644 --- a/eng/dockerfile-templates/Dockerfile.linux.install-pkgs +++ b/eng/dockerfile-templates/Dockerfile.linux.install-pkgs @@ -3,7 +3,8 @@ pkgs: list of packages to install pkg-mgr (optional): package manager to use pkg-mgr-opts (optional): additional options to pass to the package manager - noninteractive (optional): whether to use noninteractive mode ^ + noninteractive (optional): whether to use noninteractive mode + no-clean (optional): skip package manager cleanup after install ^ set isAlpine to find(OS_VERSION, "alpine") >= 0 ^ set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^ @@ -22,10 +23,10 @@ elif isTdnf:tdnf install -y{{ARGS["pkg-mgr-opts"]}} \^ else:apt-get update \ &&{{if ARGS["noninteractive"]: DEBIAN_FRONTEND=noninteractive}} apt-get install -y --no-install-recommends{{ARGS["pkg-mgr-opts"]}} \}}{{ for index, pkg in ARGS["pkgs"]: - {{pkg}}{{if appendPkgSuffix(pkg, index):{{if pkg != "": }}\}}}}{{ + {{pkg}}{{if appendPkgSuffix(pkg, index):{{if pkg != "": }}\}}}}{{if !ARGS["no-clean"]:{{ if isTdnf: && tdnf clean all{{ARGS["pkg-mgr-opts"]}}^ elif isDnf: && dnf clean all{{ARGS["pkg-mgr-opts"]}}^ elif !isApk: - && rm -rf /var/lib/apt/lists/*}} + && rm -rf /var/lib/apt/lists/*}}}} diff --git a/eng/dockerfile-templates/Dockerfile.linux.remove-pkgs b/eng/dockerfile-templates/Dockerfile.linux.remove-pkgs new file mode 100644 index 0000000000..ba5557afe1 --- /dev/null +++ b/eng/dockerfile-templates/Dockerfile.linux.remove-pkgs @@ -0,0 +1,29 @@ +{{ + _ ARGS: + pkgs: list of packages to remove + pkg-mgr (optional): package manager to use + pkg-mgr-opts (optional): additional options to pass to the package manager + noninteractive (optional): whether to use noninteractive mode + no-clean (optional): skip package manager cleanup after install ^ + + set isAlpine to find(OS_VERSION, "alpine") >= 0 ^ + set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^ + set isDnf to ARGS["pkg-mgr"] = "dnf" ^ + set isTdnf to ARGS["pkg-mgr"] = "tdnf" || (!isDnf && isMariner) ^ + set isApk to ARGS["pkg-mgr"] = "apk" || isAlpine +}}{{ +if isDnf:dnf remove -y{{ARGS["pkg-mgr-opts"]}} \^ +elif isApk:apk del{{ARGS["pkg-mgr-opts"]}} \^ +elif isTdnf:tdnf remove -y{{ARGS["pkg-mgr-opts"]}} \^ +else:apt-get remove \ +&&{{if ARGS["noninteractive"]: DEBIAN_FRONTEND=noninteractive}} apt-get remove -y {{ARGS["pkg-mgr-opts"]}} \}}{{ +for index, pkg in ARGS["pkgs"]: + {{pkg}} \}}{{if !no-clean:{{ +if isTdnf: +&& tdnf clean all{{ARGS["pkg-mgr-opts"]}}^ +elif isDnf: +&& dnf autoremove{{ARGS["pkg-mgr-opts"]}} \ +&& dnf clean all{{ARGS["pkg-mgr-opts"]}}^ +elif !isApk: +&& apt-get autoremove \ +&& rm -rf /var/lib/apt/lists/*}}}} diff --git a/eng/dockerfile-templates/monitor/Dockerfile.envs b/eng/dockerfile-templates/monitor/Dockerfile.envs index ed6309449d..dfb4c93935 100644 --- a/eng/dockerfile-templates/monitor/Dockerfile.envs +++ b/eng/dockerfile-templates/monitor/Dockerfile.envs @@ -2,8 +2,9 @@ _ .NET major version matches the major version of dotnet-monitor ^ set dotnetMajor to split(PRODUCT_VERSION, ".")[0] }}ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ + {{if dotnetMajor != "6" && dotnetMajor != "7":# Unset ASPNETCORE_HTTP_PORTS from aspnet base image + ASPNETCORE_HTTP_PORTS= \^else:# Unset ASPNETCORE_URLS from aspnet base image + ASPNETCORE_URLS= \}} # Disable debugger and profiler diagnostics to avoid diagnosing self. COMPlus_EnableDiagnostics=0 \ # Default Filter diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile b/eng/dockerfile-templates/runtime-deps/Dockerfile index 2235aefe68..e4eb19cd4c 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile @@ -19,7 +19,11 @@ set isRpmInstall to isMariner && dotnetVersion = "6.0" ^ set isSingleStage to !(isRpmInstall && isInternal) ^ set urlSuffix to when(isInternal, "$SAS_QUERY_STRING", "") ^ - set rpmFilename to "dotnet-runtime-deps.rpm" + set rpmFilename to "dotnet-runtime-deps.rpm" ^ + set utilPkgs to when(isMariner && dotnetVersion != "6.0" && dotnetVersion != "7.0", ["shadow-utils"], []) ^ + set username to "app" ^ + set uid to 101 ^ + set gid to uid }}{{ if !isSingleStage:# Installer image }}FROM {{baseImageRepo}}:{{baseImageTag}}{{if !isSingleStage: AS installer}}{{ if isInternal && isRpmInstall: @@ -52,5 +56,14 @@ RUN {{InsertTemplate("../Dockerfile.linux.install-deps")}} "url-suffix": urlSuffix, "filename": rpmFilename ])}} +}}{{if dotnetVersion != "6.0" && dotnetVersion != "7.0": +# Create a non-root user and group +RUN {{InsertTemplate("Dockerfile.linux.non-root-user", + [ + "name": username, + "uid": uid, + "gid": gid, + "append-cmd": len(utilPkgs) > 0 + ])}} }} {{InsertTemplate("../Dockerfile.common-dotnet-envs")}} diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu b/eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu index 1b07fe0385..7ffa7df42c 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile.chiseled-ubuntu @@ -16,8 +16,7 @@ FROM {{ARCH_VERSIONED}}/ubuntu:{{osVersionBase}} as builder RUN apt-get update && \ apt-get install -y ca-certificates -RUN {{InsertTemplate("Dockerfile.linux.distroless-user", - [ +RUN {{InsertTemplate("Dockerfile.linux.distroless-user", [ "staging-dir": "/rootfs", "exclusive": "true", "create-dir": "true", @@ -25,8 +24,7 @@ RUN {{InsertTemplate("Dockerfile.linux.distroless-user", "uid": uid, "gid": gid, "create-home": "true" - ], - " ")}} + ])}} COPY --from=chisel /opt/chisel/chisel /usr/bin/ RUN chisel cut --release "ubuntu-{{osVersionNumber}}" --root /rootfs \ diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner b/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner index c56894fd97..bc6d28de4b 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner @@ -40,9 +40,8 @@ RUN {{InsertTemplate("Dockerfile.linux.distroless-user", "name": username, "uid": uid, "gid": gid, - "create-home": createUserHome - ], - " ")}} + "no-create-home": !createUserHome + ])}} # Clean up staging RUN rm -rf {{distrolessStagingDir}}/etc/{{when(find(OS_VERSION, "1.0") >= 0, "dnf", "tdnf")}} \ diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.distroless-user b/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.distroless-user index 14b68d6a93..0fd74c5dcf 100644 --- a/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.distroless-user +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.distroless-user @@ -7,28 +7,24 @@ name: Name of the user/group to create uid: ID of the user to be created gid: ID of the group to be created - create-home (optional): Indicates whether a home directory should be created for the user ^ + no-create-home (optional): Indicates whether a home directory should be created for the user ^ set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^ - set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 -}}groupadd \ - --system \ - --gid={{ARGS["gid"]}} \ - {{ARGS["name"]}} \ -&& adduser \ - --uid {{ARGS["uid"]}} \ - --gid {{ARGS["gid"]}} \ - --shell /bin/false \{{if !ARGS["create-home"]: - --no-create-home \}} - --system \ - {{ARGS["name"]}} \{{ -if ARGS["create-home"]: -&& install -d -m 0755 -o {{ARGS["uid"]}} -g {{ARGS["gid"]}} "{{ARGS["staging-dir"]}}/home/{{ARGS["name"]}}" \}}{{ -if ARGS["exclusive"]:{{if ARGS["create-dir"]: -&& mkdir -p "{{ARGS["staging-dir"]}}/etc" \}} -&& rootOrAppRegex='@^\(root\|app\):' \ -&& cat /etc/passwd | grep $rootOrAppRegex > "{{ARGS["staging-dir"]}}/etc/passwd" \ -&& cat /etc/group | grep $rootOrAppRegex > "{{ARGS["staging-dir"]}}/etc/group"^ -else: -# Copy user/group info to staging -&& cp /etc/passwd {{ARGS["staging-dir"]}}/etc/passwd \ -&& cp /etc/group {{ARGS["staging-dir"]}}/etc/group}} + set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^ + set isAlpine to find(OS_VERSION, "alpine") >= 0 +}}{{InsertTemplate("Dockerfile.linux.non-root-user", +[ + "name": ARGS["name"], + "uid": ARGS["uid"], + "gid": ARGS["gid"], + "no-create-home": ARGS["no-create-home"] +])}} \{{if !ARGS["no-create-home"]: + && install -d -m 0755 -o {{ARGS["uid"]}} -g {{ARGS["gid"]}} "{{ARGS["staging-dir"]}}/home/{{ARGS["name"]}}" \}}{{ + if ARGS["exclusive"]:{{if ARGS["create-dir"]: + && mkdir -p "{{ARGS["staging-dir"]}}/etc" \}} + && rootOrAppRegex='@^\(root\|app\):' \ + && cat /etc/passwd | grep $rootOrAppRegex > "{{ARGS["staging-dir"]}}/etc/passwd" \ + && cat /etc/group | grep $rootOrAppRegex > "{{ARGS["staging-dir"]}}/etc/group"^ + else: + # Copy user/group info to staging + && cp /etc/passwd {{ARGS["staging-dir"]}}/etc/passwd \ + && cp /etc/group {{ARGS["staging-dir"]}}/etc/group}} diff --git a/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.non-root-user b/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.non-root-user new file mode 100644 index 0000000000..2dcc1abf2b --- /dev/null +++ b/eng/dockerfile-templates/runtime-deps/Dockerfile.linux.non-root-user @@ -0,0 +1,32 @@ +{{ + _ Configures a non-root user + _ ARGS: + name: Name of the user/group to create + uid: ID of the user to be created + gid: ID of the group to be created + no-create-home (optional): Indicates whether a home directory should be created for the user ^ + set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^ + set isAlpine to find(OS_VERSION, "alpine") >= 0 ^ + set isDebian to find(OS_ARCH_HYPHENATED, "Debian") >= 0 ^ + set isMariner to find(OS_VERSION, "cbl-mariner") >= 0 ^ + set isDistrolessMariner to defined(match(OS_VERSION, "^cbl-mariner\d+\.\d+-distroless$")) ^ + set utilPkgs to when(isMariner && !isDistrolessMariner && dotnetVersion != "6.0" && dotnetVersion != "7.0", ["shadow-utils"], []) +}}{{if len(utilPkgs) > 0:{{InsertTemplate("../Dockerfile.linux.install-pkgs", [ + "pkgs": utilPkgs, + "no-clean": "true" + ])}} + && }}{{if isAlpine:addgroup^else:groupadd}} \ + --system \ + --gid={{ARGS["gid"]}} \ + {{ARGS["name"]}} \ + && {{if isDebian:useradd^else:adduser}} \ + --uid {{ARGS["uid"]}} \ + {{if isAlpine:--ingroup={{ARGS["name"]}}^else:--gid {{ARGS["gid"]}}}} \ + --shell /bin/false \{{if ARGS["no-create-home"]: + --no-create-home \^elif dotnetVersion != "6.0" && dotnetVersion != "7.0" && (isMariner || isDebian): + --create-home \}} + --system \ + {{ARGS["name"]}}{{if len(utilPkgs) > 0: \ + && {{InsertTemplate("../Dockerfile.linux.remove-pkgs", [ + "pkgs": utilPkgs + ], " ")}}}} diff --git a/eng/dockerfile-templates/sdk/Dockerfile.envs b/eng/dockerfile-templates/sdk/Dockerfile.envs index f5b667b31c..86f4516b32 100644 --- a/eng/dockerfile-templates/sdk/Dockerfile.envs +++ b/eng/dockerfile-templates/sdk/Dockerfile.envs @@ -3,9 +3,9 @@ set isAlpine to find(OS_VERSION, "alpine") >= 0 ^ set isWindows to find(OS_VERSION, "nanoserver") >= 0 || find(OS_VERSION, "windowsservercore") >= 0 ^ set lineContinuation to when(isWindows, "`", "\") -}}ENV {{lineContinuation}} +}}ENV {{lineContinuation}}{{if dotnetVersion = "6.0" || dotnetVersion = "7.0": # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= {{lineContinuation}} + ASPNETCORE_URLS= {{lineContinuation}}}} # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false {{lineContinuation}} # Do not show first run text diff --git a/eng/dockerfile-templates/sdk/Dockerfile.linux.first-run b/eng/dockerfile-templates/sdk/Dockerfile.linux.first-run index bf7ff884bf..a49b696235 100644 --- a/eng/dockerfile-templates/sdk/Dockerfile.linux.first-run +++ b/eng/dockerfile-templates/sdk/Dockerfile.linux.first-run @@ -1,6 +1,5 @@ {{ _ ARGS append-cmd: Indicates whether to append the command to an existing command - }}# Trigger first run experience by running arbitrary cmd {{if ARGS["append-cmd"]:&&^else:RUN}} dotnet help \ No newline at end of file diff --git a/manifest.json b/manifest.json index 1fb053c635..0ec42d9083 100644 --- a/manifest.json +++ b/manifest.json @@ -790,7 +790,7 @@ }, "platforms": [ { - "dockerfile": "src/runtime-deps/6.0/alpine3.17/amd64", + "dockerfile": "src/runtime-deps/8.0/alpine3.17/amd64", "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", "os": "linux", "osVersion": "alpine3.17", @@ -802,7 +802,7 @@ }, { "architecture": "arm", - "dockerfile": "src/runtime-deps/6.0/alpine3.17/arm32v7", + "dockerfile": "src/runtime-deps/8.0/alpine3.17/arm32v7", "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", "os": "linux", "osVersion": "alpine3.17", @@ -815,7 +815,7 @@ }, { "architecture": "arm64", - "dockerfile": "src/runtime-deps/6.0/alpine3.17/arm64v8", + "dockerfile": "src/runtime-deps/8.0/alpine3.17/arm64v8", "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", "os": "linux", "osVersion": "alpine3.17", @@ -836,7 +836,7 @@ }, "platforms": [ { - "dockerfile": "src/runtime-deps/6.0/jammy/amd64", + "dockerfile": "src/runtime-deps/8.0/jammy/amd64", "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", "os": "linux", "osVersion": "jammy", @@ -847,7 +847,7 @@ }, { "architecture": "arm", - "dockerfile": "src/runtime-deps/6.0/jammy/arm32v7", + "dockerfile": "src/runtime-deps/8.0/jammy/arm32v7", "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", "os": "linux", "osVersion": "jammy", @@ -859,7 +859,7 @@ }, { "architecture": "arm64", - "dockerfile": "src/runtime-deps/6.0/jammy/arm64v8", + "dockerfile": "src/runtime-deps/8.0/jammy/arm64v8", "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", "os": "linux", "osVersion": "jammy", @@ -935,7 +935,7 @@ }, "platforms": [ { - "dockerfile": "src/runtime-deps/7.0/cbl-mariner2.0/amd64", + "dockerfile": "src/runtime-deps/8.0/cbl-mariner2.0/amd64", "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", "os": "linux", "osVersion": "cbl-mariner2.0", @@ -953,7 +953,7 @@ }, { "architecture": "arm64", - "dockerfile": "src/runtime-deps/7.0/cbl-mariner2.0/arm64v8", + "dockerfile": "src/runtime-deps/8.0/cbl-mariner2.0/arm64v8", "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile", "os": "linux", "osVersion": "cbl-mariner2.0", @@ -987,7 +987,7 @@ }, "platforms": [ { - "dockerfile": "src/runtime-deps/7.0/cbl-mariner2.0-distroless/amd64", + "dockerfile": "src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64", "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner", "os": "linux", "osVersion": "cbl-mariner2.0-distroless", @@ -1014,7 +1014,7 @@ }, { "architecture": "arm64", - "dockerfile": "src/runtime-deps/7.0/cbl-mariner2.0-distroless/arm64v8", + "dockerfile": "src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8", "dockerfileTemplate": "eng/dockerfile-templates/runtime-deps/Dockerfile.distroless-mariner", "os": "linux", "osVersion": "cbl-mariner2.0-distroless", diff --git a/src/monitor/8.0/cbl-mariner-distroless/amd64/Dockerfile b/src/monitor/8.0/cbl-mariner-distroless/amd64/Dockerfile index 01ec0b6249..2e51095ea1 100644 --- a/src/monitor/8.0/cbl-mariner-distroless/amd64/Dockerfile +++ b/src/monitor/8.0/cbl-mariner-distroless/amd64/Dockerfile @@ -26,8 +26,8 @@ WORKDIR /app COPY --from=installer /app . ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ + # Unset ASPNETCORE_HTTP_PORTS from aspnet base image + ASPNETCORE_HTTP_PORTS= \ # Disable debugger and profiler diagnostics to avoid diagnosing self. COMPlus_EnableDiagnostics=0 \ # Default Filter diff --git a/src/monitor/8.0/cbl-mariner-distroless/arm64v8/Dockerfile b/src/monitor/8.0/cbl-mariner-distroless/arm64v8/Dockerfile index e9c5e9faf6..29cf6bb2aa 100644 --- a/src/monitor/8.0/cbl-mariner-distroless/arm64v8/Dockerfile +++ b/src/monitor/8.0/cbl-mariner-distroless/arm64v8/Dockerfile @@ -26,8 +26,8 @@ WORKDIR /app COPY --from=installer /app . ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ + # Unset ASPNETCORE_HTTP_PORTS from aspnet base image + ASPNETCORE_HTTP_PORTS= \ # Disable debugger and profiler diagnostics to avoid diagnosing self. COMPlus_EnableDiagnostics=0 \ # Default Filter diff --git a/src/monitor/8.0/ubuntu-chiseled/amd64/Dockerfile b/src/monitor/8.0/ubuntu-chiseled/amd64/Dockerfile index a29470c238..f0c1bac8c7 100644 --- a/src/monitor/8.0/ubuntu-chiseled/amd64/Dockerfile +++ b/src/monitor/8.0/ubuntu-chiseled/amd64/Dockerfile @@ -20,8 +20,8 @@ WORKDIR /app COPY --from=installer /app . ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ + # Unset ASPNETCORE_HTTP_PORTS from aspnet base image + ASPNETCORE_HTTP_PORTS= \ # Disable debugger and profiler diagnostics to avoid diagnosing self. COMPlus_EnableDiagnostics=0 \ # Default Filter diff --git a/src/monitor/8.0/ubuntu-chiseled/arm64v8/Dockerfile b/src/monitor/8.0/ubuntu-chiseled/arm64v8/Dockerfile index bdd5e7e492..e8f58697c9 100644 --- a/src/monitor/8.0/ubuntu-chiseled/arm64v8/Dockerfile +++ b/src/monitor/8.0/ubuntu-chiseled/arm64v8/Dockerfile @@ -20,8 +20,8 @@ WORKDIR /app COPY --from=installer /app . ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ + # Unset ASPNETCORE_HTTP_PORTS from aspnet base image + ASPNETCORE_HTTP_PORTS= \ # Disable debugger and profiler diagnostics to avoid diagnosing self. COMPlus_EnableDiagnostics=0 \ # Default Filter diff --git a/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile b/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile new file mode 100644 index 0000000000..050193985f --- /dev/null +++ b/src/runtime-deps/8.0/alpine3.17/amd64/Dockerfile @@ -0,0 +1,32 @@ +FROM amd64/alpine:3.17 + +RUN apk add --no-cache \ + ca-certificates \ + \ + # .NET dependencies + krb5-libs \ + libgcc \ + libintl \ + libssl3 \ + libstdc++ \ + zlib + +# Create a non-root user and group +RUN addgroup \ + --system \ + --gid=101 \ + app \ + && adduser \ + --uid 101 \ + --ingroup=app \ + --shell /bin/false \ + --system \ + app + +ENV \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ + # Enable detection of running in a container + DOTNET_RUNNING_IN_CONTAINER=true \ + # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) + DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true diff --git a/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile b/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile new file mode 100644 index 0000000000..b3e742d8a6 --- /dev/null +++ b/src/runtime-deps/8.0/alpine3.17/arm32v7/Dockerfile @@ -0,0 +1,32 @@ +FROM arm32v7/alpine:3.17 + +RUN apk add --no-cache \ + ca-certificates \ + \ + # .NET dependencies + krb5-libs \ + libgcc \ + libintl \ + libssl3 \ + libstdc++ \ + zlib + +# Create a non-root user and group +RUN addgroup \ + --system \ + --gid=101 \ + app \ + && adduser \ + --uid 101 \ + --ingroup=app \ + --shell /bin/false \ + --system \ + app + +ENV \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ + # Enable detection of running in a container + DOTNET_RUNNING_IN_CONTAINER=true \ + # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) + DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true diff --git a/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile b/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile new file mode 100644 index 0000000000..80a909f5c2 --- /dev/null +++ b/src/runtime-deps/8.0/alpine3.17/arm64v8/Dockerfile @@ -0,0 +1,32 @@ +FROM arm64v8/alpine:3.17 + +RUN apk add --no-cache \ + ca-certificates \ + \ + # .NET dependencies + krb5-libs \ + libgcc \ + libintl \ + libssl3 \ + libstdc++ \ + zlib + +# Create a non-root user and group +RUN addgroup \ + --system \ + --gid=101 \ + app \ + && adduser \ + --uid 101 \ + --ingroup=app \ + --shell /bin/false \ + --system \ + app + +ENV \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ + # Enable detection of running in a container + DOTNET_RUNNING_IN_CONTAINER=true \ + # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) + DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true diff --git a/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile b/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile index 369c8664c4..9275d4739c 100644 --- a/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile +++ b/src/runtime-deps/8.0/bookworm-slim/amd64/Dockerfile @@ -14,8 +14,21 @@ RUN apt-get update \ zlib1g \ && rm -rf /var/lib/apt/lists/* +# Create a non-root user and group +RUN groupadd \ + --system \ + --gid=101 \ + app \ + && useradd \ + --uid 101 \ + --gid 101 \ + --shell /bin/false \ + --create-home \ + --system \ + app + ENV \ - # Configure web servers to bind to port 80 when present - ASPNETCORE_URLS=http://+:80 \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container DOTNET_RUNNING_IN_CONTAINER=true diff --git a/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile b/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile index e4e6f2b4fd..94c8a4ef79 100644 --- a/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile +++ b/src/runtime-deps/8.0/bookworm-slim/arm32v7/Dockerfile @@ -14,8 +14,21 @@ RUN apt-get update \ zlib1g \ && rm -rf /var/lib/apt/lists/* +# Create a non-root user and group +RUN groupadd \ + --system \ + --gid=101 \ + app \ + && useradd \ + --uid 101 \ + --gid 101 \ + --shell /bin/false \ + --create-home \ + --system \ + app + ENV \ - # Configure web servers to bind to port 80 when present - ASPNETCORE_URLS=http://+:80 \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container DOTNET_RUNNING_IN_CONTAINER=true diff --git a/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile b/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile index a2755e3b9d..849d7391ed 100644 --- a/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/bookworm-slim/arm64v8/Dockerfile @@ -14,8 +14,21 @@ RUN apt-get update \ zlib1g \ && rm -rf /var/lib/apt/lists/* +# Create a non-root user and group +RUN groupadd \ + --system \ + --gid=101 \ + app \ + && useradd \ + --uid 101 \ + --gid 101 \ + --shell /bin/false \ + --create-home \ + --system \ + app + ENV \ - # Configure web servers to bind to port 80 when present - ASPNETCORE_URLS=http://+:80 \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container DOTNET_RUNNING_IN_CONTAINER=true diff --git a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile new file mode 100644 index 0000000000..b8247c5e58 --- /dev/null +++ b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64/Dockerfile @@ -0,0 +1,75 @@ +# Installer image +FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 AS installer + +RUN tdnf install -y \ + gawk \ + shadow-utils \ + && tdnf clean all + +# Install .NET's dependencies into a staging location +RUN mkdir /staging \ + && tdnf install -y --releasever=2.0 --installroot /staging \ + prebuilt-ca-certificates \ + \ + # .NET dependencies + glibc \ + krb5 \ + libgcc \ + libstdc++ \ + openssl-libs \ + zlib \ + && tdnf clean all --releasever=2.0 --installroot /staging + +# Generate RPM manifest file by appending to the original manifest file from base distroless image +COPY --from=mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 /var/lib/rpmmanifest/container-manifest-2 /tmp/rpmmanifest +RUN tmpManifestPath="/tmp/rpmmanifest" \ + && rpm --query --all --queryformat "%{NAME}\t%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\t%{BUILDTIME}\t%{VENDOR}\t%{EPOCH}\t%{SIZE}\t%{ARCH}\t%{EPOCHNUM}\t%{SOURCERPM}\n" --root /staging | grep -v gpg-pubkey >> $tmpManifestPath \ + && mkdir -p /staging/var/lib/rpmmanifest \ + # Remove duplicates that match on the first field (package name) + && tac $tmpManifestPath | gawk '!x[$1]++' | sort > /staging/var/lib/rpmmanifest/container-manifest-2 + + +# Create a non-root user and group +RUN groupadd \ + --system \ + --gid=101 \ + app \ + && adduser \ + --uid 101 \ + --gid 101 \ + --shell /bin/false \ + --create-home \ + --system \ + app \ + && install -d -m 0755 -o 101 -g 101 "/staging/home/app" \ + && rootOrAppRegex='^\(root\|app\):' \ + && cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \ + && cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group" + +# Clean up staging +RUN rm -rf /staging/etc/tdnf \ + && rm -rf /staging/run/* \ + && rm -rf /staging/var/cache/tdnf \ + && rm -rf /staging/var/lib/rpm \ + && rm -rf /staging/usr/share/doc \ + && rm -rf /staging/usr/share/man \ + && find /staging/var/log -type f -size +0 -delete + + +# .NET runtime-deps image +FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 + +COPY --from=installer /staging/ / + +# Workaround for https://github.com/moby/moby/issues/38710 +COPY --from=installer --chown=101:101 /staging/home/app /home/app + +ENV \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ + # Enable detection of running in a container + DOTNET_RUNNING_IN_CONTAINER=true \ + # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) + DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true + +USER app diff --git a/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile new file mode 100644 index 0000000000..b8247c5e58 --- /dev/null +++ b/src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8/Dockerfile @@ -0,0 +1,75 @@ +# Installer image +FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 AS installer + +RUN tdnf install -y \ + gawk \ + shadow-utils \ + && tdnf clean all + +# Install .NET's dependencies into a staging location +RUN mkdir /staging \ + && tdnf install -y --releasever=2.0 --installroot /staging \ + prebuilt-ca-certificates \ + \ + # .NET dependencies + glibc \ + krb5 \ + libgcc \ + libstdc++ \ + openssl-libs \ + zlib \ + && tdnf clean all --releasever=2.0 --installroot /staging + +# Generate RPM manifest file by appending to the original manifest file from base distroless image +COPY --from=mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 /var/lib/rpmmanifest/container-manifest-2 /tmp/rpmmanifest +RUN tmpManifestPath="/tmp/rpmmanifest" \ + && rpm --query --all --queryformat "%{NAME}\t%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\t%{BUILDTIME}\t%{VENDOR}\t%{EPOCH}\t%{SIZE}\t%{ARCH}\t%{EPOCHNUM}\t%{SOURCERPM}\n" --root /staging | grep -v gpg-pubkey >> $tmpManifestPath \ + && mkdir -p /staging/var/lib/rpmmanifest \ + # Remove duplicates that match on the first field (package name) + && tac $tmpManifestPath | gawk '!x[$1]++' | sort > /staging/var/lib/rpmmanifest/container-manifest-2 + + +# Create a non-root user and group +RUN groupadd \ + --system \ + --gid=101 \ + app \ + && adduser \ + --uid 101 \ + --gid 101 \ + --shell /bin/false \ + --create-home \ + --system \ + app \ + && install -d -m 0755 -o 101 -g 101 "/staging/home/app" \ + && rootOrAppRegex='^\(root\|app\):' \ + && cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \ + && cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group" + +# Clean up staging +RUN rm -rf /staging/etc/tdnf \ + && rm -rf /staging/run/* \ + && rm -rf /staging/var/cache/tdnf \ + && rm -rf /staging/var/lib/rpm \ + && rm -rf /staging/usr/share/doc \ + && rm -rf /staging/usr/share/man \ + && find /staging/var/log -type f -size +0 -delete + + +# .NET runtime-deps image +FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 + +COPY --from=installer /staging/ / + +# Workaround for https://github.com/moby/moby/issues/38710 +COPY --from=installer --chown=101:101 /staging/home/app /home/app + +ENV \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ + # Enable detection of running in a container + DOTNET_RUNNING_IN_CONTAINER=true \ + # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) + DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true + +USER app diff --git a/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile new file mode 100644 index 0000000000..c6b97f52fa --- /dev/null +++ b/src/runtime-deps/8.0/cbl-mariner2.0/amd64/Dockerfile @@ -0,0 +1,38 @@ +FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 + +RUN tdnf install -y \ + ca-certificates \ + \ + # .NET dependencies + glibc \ + icu \ + krb5 \ + libgcc \ + libstdc++ \ + openssl-libs \ + zlib \ + && tdnf clean all + +# Create a non-root user and group +RUN tdnf install -y \ + shadow-utils \ + && groupadd \ + --system \ + --gid=101 \ + app \ + && adduser \ + --uid 101 \ + --gid 101 \ + --shell /bin/false \ + --create-home \ + --system \ + app \ + && tdnf remove -y \ + shadow-utils \ + && tdnf clean all + +ENV \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ + # Enable detection of running in a container + DOTNET_RUNNING_IN_CONTAINER=true diff --git a/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile b/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile new file mode 100644 index 0000000000..c6b97f52fa --- /dev/null +++ b/src/runtime-deps/8.0/cbl-mariner2.0/arm64v8/Dockerfile @@ -0,0 +1,38 @@ +FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 + +RUN tdnf install -y \ + ca-certificates \ + \ + # .NET dependencies + glibc \ + icu \ + krb5 \ + libgcc \ + libstdc++ \ + openssl-libs \ + zlib \ + && tdnf clean all + +# Create a non-root user and group +RUN tdnf install -y \ + shadow-utils \ + && groupadd \ + --system \ + --gid=101 \ + app \ + && adduser \ + --uid 101 \ + --gid 101 \ + --shell /bin/false \ + --create-home \ + --system \ + app \ + && tdnf remove -y \ + shadow-utils \ + && tdnf clean all + +ENV \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ + # Enable detection of running in a container + DOTNET_RUNNING_IN_CONTAINER=true diff --git a/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile b/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile index 71f47b8ac1..6789f02bf3 100644 --- a/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile +++ b/src/runtime-deps/8.0/jammy-chiseled/amd64/Dockerfile @@ -47,7 +47,7 @@ COPY --from=builder --chown=101:101 /rootfs/home/app /home/app ENV \ # Configure web servers to bind to port 8080 when present - ASPNETCORE_URLS=http://+:8080 \ + ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container DOTNET_RUNNING_IN_CONTAINER=true \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) diff --git a/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile b/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile index beb4630ee9..0a6bc05d1c 100644 --- a/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile +++ b/src/runtime-deps/8.0/jammy-chiseled/arm64v8/Dockerfile @@ -47,7 +47,7 @@ COPY --from=builder --chown=101:101 /rootfs/home/app /home/app ENV \ # Configure web servers to bind to port 8080 when present - ASPNETCORE_URLS=http://+:8080 \ + ASPNETCORE_HTTP_PORTS=8080 \ # Enable detection of running in a container DOTNET_RUNNING_IN_CONTAINER=true \ # Set the invariant mode since ICU package isn't included (see https://github.com/dotnet/announcements/issues/20) diff --git a/src/runtime-deps/8.0/jammy/amd64/Dockerfile b/src/runtime-deps/8.0/jammy/amd64/Dockerfile new file mode 100644 index 0000000000..b25b847fef --- /dev/null +++ b/src/runtime-deps/8.0/jammy/amd64/Dockerfile @@ -0,0 +1,33 @@ +FROM ubuntu.azurecr.io/ubuntu:jammy + +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + ca-certificates \ + \ + # .NET dependencies + libc6 \ + libgcc1 \ + libgssapi-krb5-2 \ + libicu70 \ + libssl3 \ + libstdc++6 \ + zlib1g \ + && rm -rf /var/lib/apt/lists/* + +# Create a non-root user and group +RUN groupadd \ + --system \ + --gid=101 \ + app \ + && adduser \ + --uid 101 \ + --gid 101 \ + --shell /bin/false \ + --system \ + app + +ENV \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ + # Enable detection of running in a container + DOTNET_RUNNING_IN_CONTAINER=true diff --git a/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile b/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile new file mode 100644 index 0000000000..b25b847fef --- /dev/null +++ b/src/runtime-deps/8.0/jammy/arm32v7/Dockerfile @@ -0,0 +1,33 @@ +FROM ubuntu.azurecr.io/ubuntu:jammy + +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + ca-certificates \ + \ + # .NET dependencies + libc6 \ + libgcc1 \ + libgssapi-krb5-2 \ + libicu70 \ + libssl3 \ + libstdc++6 \ + zlib1g \ + && rm -rf /var/lib/apt/lists/* + +# Create a non-root user and group +RUN groupadd \ + --system \ + --gid=101 \ + app \ + && adduser \ + --uid 101 \ + --gid 101 \ + --shell /bin/false \ + --system \ + app + +ENV \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ + # Enable detection of running in a container + DOTNET_RUNNING_IN_CONTAINER=true diff --git a/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile b/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile new file mode 100644 index 0000000000..b25b847fef --- /dev/null +++ b/src/runtime-deps/8.0/jammy/arm64v8/Dockerfile @@ -0,0 +1,33 @@ +FROM ubuntu.azurecr.io/ubuntu:jammy + +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + ca-certificates \ + \ + # .NET dependencies + libc6 \ + libgcc1 \ + libgssapi-krb5-2 \ + libicu70 \ + libssl3 \ + libstdc++6 \ + zlib1g \ + && rm -rf /var/lib/apt/lists/* + +# Create a non-root user and group +RUN groupadd \ + --system \ + --gid=101 \ + app \ + && adduser \ + --uid 101 \ + --gid 101 \ + --shell /bin/false \ + --system \ + app + +ENV \ + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 \ + # Enable detection of running in a container + DOTNET_RUNNING_IN_CONTAINER=true diff --git a/src/runtime/8.0/nanoserver-1809/amd64/Dockerfile b/src/runtime/8.0/nanoserver-1809/amd64/Dockerfile index 270478b349..bab74fd7d8 100644 --- a/src/runtime/8.0/nanoserver-1809/amd64/Dockerfile +++ b/src/runtime/8.0/nanoserver-1809/amd64/Dockerfile @@ -25,8 +25,8 @@ RUN powershell -Command ` FROM mcr.microsoft.com/windows/nanoserver:1809-amd64 ENV ` - # Configure web servers to bind to port 80 when present - ASPNETCORE_URLS=http://+:80 ` + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 ` # Enable detection of running in a container DOTNET_RUNNING_IN_CONTAINER=true ` # .NET Runtime version diff --git a/src/runtime/8.0/nanoserver-ltsc2022/amd64/Dockerfile b/src/runtime/8.0/nanoserver-ltsc2022/amd64/Dockerfile index 44cc4e74fa..569317ff5f 100644 --- a/src/runtime/8.0/nanoserver-ltsc2022/amd64/Dockerfile +++ b/src/runtime/8.0/nanoserver-ltsc2022/amd64/Dockerfile @@ -25,8 +25,8 @@ RUN powershell -Command ` FROM mcr.microsoft.com/windows/nanoserver:ltsc2022-amd64 ENV ` - # Configure web servers to bind to port 80 when present - ASPNETCORE_URLS=http://+:80 ` + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 ` # Enable detection of running in a container DOTNET_RUNNING_IN_CONTAINER=true ` # .NET Runtime version diff --git a/src/runtime/8.0/windowsservercore-ltsc2019/amd64/Dockerfile b/src/runtime/8.0/windowsservercore-ltsc2019/amd64/Dockerfile index 4feb8cd57b..3fb773504f 100644 --- a/src/runtime/8.0/windowsservercore-ltsc2019/amd64/Dockerfile +++ b/src/runtime/8.0/windowsservercore-ltsc2019/amd64/Dockerfile @@ -3,8 +3,8 @@ FROM mcr.microsoft.com/windows/servercore:ltsc2019-amd64 ENV ` - # Configure web servers to bind to port 80 when present - ASPNETCORE_URLS=http://+:80 ` + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 ` # Enable detection of running in a container DOTNET_RUNNING_IN_CONTAINER=true ` # .NET Runtime version diff --git a/src/runtime/8.0/windowsservercore-ltsc2022/amd64/Dockerfile b/src/runtime/8.0/windowsservercore-ltsc2022/amd64/Dockerfile index 066876b63b..1d554ca461 100644 --- a/src/runtime/8.0/windowsservercore-ltsc2022/amd64/Dockerfile +++ b/src/runtime/8.0/windowsservercore-ltsc2022/amd64/Dockerfile @@ -3,8 +3,8 @@ FROM mcr.microsoft.com/windows/servercore:ltsc2022-amd64 ENV ` - # Configure web servers to bind to port 80 when present - ASPNETCORE_URLS=http://+:80 ` + # Configure web servers to bind to port 8080 when present + ASPNETCORE_HTTP_PORTS=8080 ` # Enable detection of running in a container DOTNET_RUNNING_IN_CONTAINER=true ` # .NET Runtime version diff --git a/src/sdk/8.0/alpine3.17/amd64/Dockerfile b/src/sdk/8.0/alpine3.17/amd64/Dockerfile index 321e9192f4..38f871cd21 100644 --- a/src/sdk/8.0/alpine3.17/amd64/Dockerfile +++ b/src/sdk/8.0/alpine3.17/amd64/Dockerfile @@ -2,8 +2,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-alpine3.17-amd64 ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false \ # Do not show first run text diff --git a/src/sdk/8.0/alpine3.17/arm32v7/Dockerfile b/src/sdk/8.0/alpine3.17/arm32v7/Dockerfile index cc55445742..b31f48b7e1 100644 --- a/src/sdk/8.0/alpine3.17/arm32v7/Dockerfile +++ b/src/sdk/8.0/alpine3.17/arm32v7/Dockerfile @@ -2,8 +2,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-alpine3.17-arm32v7 ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false \ # Do not show first run text diff --git a/src/sdk/8.0/alpine3.17/arm64v8/Dockerfile b/src/sdk/8.0/alpine3.17/arm64v8/Dockerfile index f225af5280..bc67a4300f 100644 --- a/src/sdk/8.0/alpine3.17/arm64v8/Dockerfile +++ b/src/sdk/8.0/alpine3.17/arm64v8/Dockerfile @@ -2,8 +2,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-alpine3.17-arm64v8 ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false \ # Do not show first run text diff --git a/src/sdk/8.0/bookworm-slim/amd64/Dockerfile b/src/sdk/8.0/bookworm-slim/amd64/Dockerfile index 89b7fca23a..4ed47cfcf1 100644 --- a/src/sdk/8.0/bookworm-slim/amd64/Dockerfile +++ b/src/sdk/8.0/bookworm-slim/amd64/Dockerfile @@ -2,8 +2,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-bookworm-slim-amd64 ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false \ # Do not show first run text diff --git a/src/sdk/8.0/bookworm-slim/arm32v7/Dockerfile b/src/sdk/8.0/bookworm-slim/arm32v7/Dockerfile index 3c161597d8..0029819534 100644 --- a/src/sdk/8.0/bookworm-slim/arm32v7/Dockerfile +++ b/src/sdk/8.0/bookworm-slim/arm32v7/Dockerfile @@ -2,8 +2,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-bookworm-slim-arm32v7 ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false \ # Do not show first run text diff --git a/src/sdk/8.0/bookworm-slim/arm64v8/Dockerfile b/src/sdk/8.0/bookworm-slim/arm64v8/Dockerfile index bd22b0320b..56ac00ad12 100644 --- a/src/sdk/8.0/bookworm-slim/arm64v8/Dockerfile +++ b/src/sdk/8.0/bookworm-slim/arm64v8/Dockerfile @@ -2,8 +2,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-bookworm-slim-arm64v8 ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false \ # Do not show first run text diff --git a/src/sdk/8.0/cbl-mariner2.0/amd64/Dockerfile b/src/sdk/8.0/cbl-mariner2.0/amd64/Dockerfile index 365f2c20a7..46674a2399 100644 --- a/src/sdk/8.0/cbl-mariner2.0/amd64/Dockerfile +++ b/src/sdk/8.0/cbl-mariner2.0/amd64/Dockerfile @@ -2,8 +2,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-cbl-mariner2.0-amd64 ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false \ # Do not show first run text diff --git a/src/sdk/8.0/cbl-mariner2.0/arm64v8/Dockerfile b/src/sdk/8.0/cbl-mariner2.0/arm64v8/Dockerfile index 6389f75f0e..59a68389c2 100644 --- a/src/sdk/8.0/cbl-mariner2.0/arm64v8/Dockerfile +++ b/src/sdk/8.0/cbl-mariner2.0/arm64v8/Dockerfile @@ -2,8 +2,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-cbl-mariner2.0-arm64v8 ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false \ # Do not show first run text diff --git a/src/sdk/8.0/jammy/amd64/Dockerfile b/src/sdk/8.0/jammy/amd64/Dockerfile index 85f37aae96..5e8c2591c2 100644 --- a/src/sdk/8.0/jammy/amd64/Dockerfile +++ b/src/sdk/8.0/jammy/amd64/Dockerfile @@ -2,8 +2,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-jammy-amd64 ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false \ # Do not show first run text diff --git a/src/sdk/8.0/jammy/arm32v7/Dockerfile b/src/sdk/8.0/jammy/arm32v7/Dockerfile index 2afd03648d..e8a19e09a2 100644 --- a/src/sdk/8.0/jammy/arm32v7/Dockerfile +++ b/src/sdk/8.0/jammy/arm32v7/Dockerfile @@ -2,8 +2,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-jammy-arm32v7 ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false \ # Do not show first run text diff --git a/src/sdk/8.0/jammy/arm64v8/Dockerfile b/src/sdk/8.0/jammy/arm64v8/Dockerfile index 0f57974316..f4eccdae6d 100644 --- a/src/sdk/8.0/jammy/arm64v8/Dockerfile +++ b/src/sdk/8.0/jammy/arm64v8/Dockerfile @@ -2,8 +2,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-jammy-arm64v8 ENV \ - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= \ # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false \ # Do not show first run text diff --git a/src/sdk/8.0/nanoserver-1809/amd64/Dockerfile b/src/sdk/8.0/nanoserver-1809/amd64/Dockerfile index 3564dc46f4..cc065b5cfb 100644 --- a/src/sdk/8.0/nanoserver-1809/amd64/Dockerfile +++ b/src/sdk/8.0/nanoserver-1809/amd64/Dockerfile @@ -46,8 +46,6 @@ RUN powershell -Command " ` FROM $REPO:8.0.0-preview.1-nanoserver-1809 ENV ` - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= ` # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false ` # Do not show first run text diff --git a/src/sdk/8.0/nanoserver-ltsc2022/amd64/Dockerfile b/src/sdk/8.0/nanoserver-ltsc2022/amd64/Dockerfile index 57cc2a2cfa..1fc4f85344 100644 --- a/src/sdk/8.0/nanoserver-ltsc2022/amd64/Dockerfile +++ b/src/sdk/8.0/nanoserver-ltsc2022/amd64/Dockerfile @@ -46,8 +46,6 @@ RUN powershell -Command " ` FROM $REPO:8.0.0-preview.1-nanoserver-ltsc2022 ENV ` - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= ` # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false ` # Do not show first run text diff --git a/src/sdk/8.0/windowsservercore-ltsc2019/amd64/Dockerfile b/src/sdk/8.0/windowsservercore-ltsc2019/amd64/Dockerfile index e352478c55..472bede971 100644 --- a/src/sdk/8.0/windowsservercore-ltsc2019/amd64/Dockerfile +++ b/src/sdk/8.0/windowsservercore-ltsc2019/amd64/Dockerfile @@ -4,8 +4,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-windowsservercore-ltsc2019 ENV ` - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= ` # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false ` # Do not show first run text diff --git a/src/sdk/8.0/windowsservercore-ltsc2022/amd64/Dockerfile b/src/sdk/8.0/windowsservercore-ltsc2022/amd64/Dockerfile index 5dda05f918..7e632bee9c 100644 --- a/src/sdk/8.0/windowsservercore-ltsc2022/amd64/Dockerfile +++ b/src/sdk/8.0/windowsservercore-ltsc2022/amd64/Dockerfile @@ -4,8 +4,6 @@ ARG REPO=mcr.microsoft.com/dotnet/aspnet FROM $REPO:8.0.0-preview.1-windowsservercore-ltsc2022 ENV ` - # Unset ASPNETCORE_URLS from aspnet base image - ASPNETCORE_URLS= ` # Do not generate certificate DOTNET_GENERATE_ASPNET_CERTIFICATE=false ` # Do not show first run text diff --git a/tests/Microsoft.DotNet.Docker.Tests/CommonRuntimeImageTests.cs b/tests/Microsoft.DotNet.Docker.Tests/CommonRuntimeImageTests.cs index 82f2cd7346..c7d43b8b98 100644 --- a/tests/Microsoft.DotNet.Docker.Tests/CommonRuntimeImageTests.cs +++ b/tests/Microsoft.DotNet.Docker.Tests/CommonRuntimeImageTests.cs @@ -28,7 +28,15 @@ protected void VerifyCommonEnvironmentVariables( { List variables = new List(); variables.AddRange(GetCommonEnvironmentVariables()); - variables.Add(new EnvironmentVariableInfo("ASPNETCORE_URLS", $"http://+:{imageData.DefaultPort}")); + + if (imageData.VersionFamily.Major <= 7) + { + variables.Add(new EnvironmentVariableInfo("ASPNETCORE_URLS", $"http://+:{imageData.DefaultPort}")); + } + else + { + variables.Add(new EnvironmentVariableInfo("ASPNETCORE_HTTP_PORTS", imageData.DefaultPort.ToString())); + } if (customVariables != null) { diff --git a/tests/Microsoft.DotNet.Docker.Tests/ImageData.cs b/tests/Microsoft.DotNet.Docker.Tests/ImageData.cs index 2f9e626ee8..d8c936ae6f 100644 --- a/tests/Microsoft.DotNet.Docker.Tests/ImageData.cs +++ b/tests/Microsoft.DotNet.Docker.Tests/ImageData.cs @@ -22,6 +22,7 @@ public abstract class ImageData public bool IsArm => Arch == Arch.Arm || Arch == Arch.Arm64; public string OS { get; set; } public bool IsDistroless => OS.Contains("distroless") || OS.Contains("chiseled"); + public virtual int DefaultPort => IsDistroless ? 8080 : 80; private static readonly Lazy s_imageInfoData; @@ -66,8 +67,6 @@ public string Platform public bool IsWindows => OS.StartsWith(Tests.OS.NanoServer) || OS.StartsWith(Tests.OS.ServerCore); - public int DefaultPort => IsDistroless ? 8080 : 80; - public string Rid { get diff --git a/tests/Microsoft.DotNet.Docker.Tests/ImageScenarioVerifier.cs b/tests/Microsoft.DotNet.Docker.Tests/ImageScenarioVerifier.cs index b9040dc550..f56b59edd7 100644 --- a/tests/Microsoft.DotNet.Docker.Tests/ImageScenarioVerifier.cs +++ b/tests/Microsoft.DotNet.Docker.Tests/ImageScenarioVerifier.cs @@ -24,6 +24,8 @@ public class ImageScenarioVerifier private readonly bool _isWeb; private readonly ITestOutputHelper _outputHelper; private readonly string _adminUser = DockerHelper.IsLinuxContainerModeEnabled ? "root" : "ContainerAdministrator"; + private readonly string _nonRootUser = DockerHelper.IsLinuxContainerModeEnabled ? "app" : "ContainerUser"; + private readonly bool _nonRootUserSupported; public ImageScenarioVerifier( ProductImageData imageData, @@ -35,6 +37,7 @@ public ImageScenarioVerifier( _imageData = imageData; _isWeb = isWeb; _outputHelper = outputHelper; + _nonRootUserSupported = DockerHelper.IsLinuxContainerModeEnabled && _imageData.Version.Major > 7; } public async Task Execute() @@ -56,8 +59,8 @@ public async Task Execute() // Use `sdk` image to build and run test app string buildTag = BuildTestAppImage("build", solutionDir, customBuildArgs); tags.Add(buildTag); - string dotnetRunArgs = _isWeb ? $" --urls http://0.0.0.0:{_imageData.DefaultPort}" : string.Empty; - await RunTestAppImage(buildTag, command: $"dotnet run{dotnetRunArgs}"); + string dotnetRunArgs = _isWeb && _imageData.Version.Major <= 7 ? $" --urls http://0.0.0.0:{_imageData.DefaultPort}" : string.Empty; + await RunTestAppImage(buildTag, command: $"dotnet run ${dotnetRunArgs}"); } // Running a scenario of unit testing within the sdk container is identical between a console app and web app, @@ -66,21 +69,27 @@ public async Task Execute() { string unitTestTag = BuildTestAppImage("test", solutionDir, customBuildArgs); tags.Add(unitTestTag); - await RunTestAppImage(unitTestTag, runAsAdmin: false); + await RunTestAppImage(unitTestTag); } // Use `sdk` image to publish FX dependent app and run with `runtime` or `aspnet` image string fxDepTag = BuildTestAppImage("fx_dependent_app", solutionDir, customBuildArgs); tags.Add(fxDepTag); - bool runAsAdmin = _isWeb && !DockerHelper.IsLinuxContainerModeEnabled; - await RunTestAppImage(fxDepTag, runAsAdmin: runAsAdmin); + // If we're a web app on Windows, use the ContainerAdministrator account + string fxDepUser = (_isWeb && !DockerHelper.IsLinuxContainerModeEnabled) ? _adminUser : null; + await RunTestAppImage(fxDepTag, user: fxDepUser); // For distroless, run another test that explicitly runs the container as a root user to verify // the root user is defined. - if (!runAsAdmin && DockerHelper.IsLinuxContainerModeEnabled && _imageData.IsDistroless && + if (!_isWeb && DockerHelper.IsLinuxContainerModeEnabled && _imageData.IsDistroless && (!_imageData.OS.StartsWith(OS.Mariner) || _imageData.Version.Major > 6)) { - await RunTestAppImage(fxDepTag, runAsAdmin: true); + await RunTestAppImage(fxDepTag, user: _adminUser); + } + // For non-distroless, which uses the root user by default, run the test as the non-root user + else if (_nonRootUserSupported && !_imageData.IsDistroless) + { + await RunTestAppImage(fxDepTag, user: _nonRootUser); } if (DockerHelper.IsLinuxContainerModeEnabled) @@ -88,7 +97,12 @@ public async Task Execute() // Use `sdk` image to publish self contained app and run with `runtime-deps` image string selfContainedTag = BuildTestAppImage("self_contained_app", solutionDir, customBuildArgs); tags.Add(selfContainedTag); - await RunTestAppImage(selfContainedTag, runAsAdmin: runAsAdmin); + await RunTestAppImage(selfContainedTag, user: _adminUser); + + if (_nonRootUserSupported) + { + await RunTestAppImage(selfContainedTag, user: _nonRootUser); + } } } finally @@ -273,20 +287,31 @@ private string CreateTestSolutionWithSdkImage(string appType) private void CreateProjectWithSdkImage(string templateName, string destinationPath, string containerName) { - string targetFramework = $"net{_imageData.Version}"; + IEnumerable args = new List + { + templateName, + $"--framework net{_imageData.Version}", + "--no-restore" + }; + + if (templateName == "web") + { + args = args.Append("--exclude-launch-settings"); + } + const string ProjectContainerDir = "/app"; _dockerHelper.Run( image: _imageData.GetImage(DotNetImageType.SDK, _dockerHelper), name: containerName, - command: $"dotnet new {templateName} --framework {targetFramework} --no-restore", + command: $"dotnet new {String.Join(' ', args)}", workdir: ProjectContainerDir, skipAutoCleanup: true); _dockerHelper.Copy($"{containerName}:{ProjectContainerDir}", destinationPath); } - private async Task RunTestAppImage(string image, bool runAsAdmin = false, string command = null) + private async Task RunTestAppImage(string image, string user = null, string command = null) { string containerName = _imageData.GetIdentifier("app-run"); @@ -297,7 +322,7 @@ private async Task RunTestAppImage(string image, bool runAsAdmin = false, string name: containerName, detach: _isWeb, optionalRunArgs: _isWeb ? $"-p {_imageData.DefaultPort}" : string.Empty, - runAsUser: runAsAdmin ? _adminUser : null, + runAsUser: user, command: command); if (_isWeb && !Config.IsHttpVerificationDisabled) @@ -313,7 +338,7 @@ private async Task RunTestAppImage(string image, bool runAsAdmin = false, string public static async Task GetHttpResponseFromContainerAsync(string containerName, DockerHelper dockerHelper, ITestOutputHelper outputHelper, int containerPort, string pathAndQuery = null, Action validateCallback = null, AuthenticationHeaderValue authorizationHeader = null) { - int retries = 30; + int retries = 32; // Can't use localhost when running inside containers or Windows. string url = !Config.IsRunningInContainer && DockerHelper.IsLinuxContainerModeEnabled diff --git a/tests/Microsoft.DotNet.Docker.Tests/MonitorImageTests.cs b/tests/Microsoft.DotNet.Docker.Tests/MonitorImageTests.cs index a5970111b7..53bd5f882f 100644 --- a/tests/Microsoft.DotNet.Docker.Tests/MonitorImageTests.cs +++ b/tests/Microsoft.DotNet.Docker.Tests/MonitorImageTests.cs @@ -147,8 +147,12 @@ public void VerifyEnvironmentVariables(ProductImageData imageData) List variables = new List(); variables.AddRange(ProductImageTests.GetCommonEnvironmentVariables()); - // ASPNETCORE_URLS has been unset to allow the default URL binding to occur. - variables.Add(new EnvironmentVariableInfo("ASPNETCORE_URLS", string.Empty)); + if (imageData.Version.Major <= 7) { + // ASPNETCORE_URLS has been unset to allow the default URL binding to occur. + variables.Add(new EnvironmentVariableInfo("ASPNETCORE_URLS", string.Empty)); + } else { + variables.Add(new EnvironmentVariableInfo("ASPNETCORE_HTTP_PORTS", string.Empty)); + } // Diagnostics should be disabled variables.Add(new EnvironmentVariableInfo("COMPlus_EnableDiagnostics", "0")); // DefaultProcess filter should select a process with a process ID of 1 diff --git a/tests/Microsoft.DotNet.Docker.Tests/ProductImageData.cs b/tests/Microsoft.DotNet.Docker.Tests/ProductImageData.cs index 71188c1be7..12fade46cb 100644 --- a/tests/Microsoft.DotNet.Docker.Tests/ProductImageData.cs +++ b/tests/Microsoft.DotNet.Docker.Tests/ProductImageData.cs @@ -53,6 +53,8 @@ public ImageVersion VersionFamily public string VersionString => Version.ToString(); + public override int DefaultPort => (IsDistroless | Version.Major >= 8) ? 8080 : 80; + public string GetDockerfilePath(DotNetImageType imageType) => $"src/{GetVariantName(imageType)}/{Version}/{OSTag}/{GetArchLabel()}"; diff --git a/tests/Microsoft.DotNet.Docker.Tests/SdkImageTests.cs b/tests/Microsoft.DotNet.Docker.Tests/SdkImageTests.cs index 66e2d411a5..6f2fd5cad4 100644 --- a/tests/Microsoft.DotNet.Docker.Tests/SdkImageTests.cs +++ b/tests/Microsoft.DotNet.Docker.Tests/SdkImageTests.cs @@ -94,11 +94,6 @@ public void VerifyEnvironmentVariables(ProductImageData imageData) }; variables.AddRange(GetCommonEnvironmentVariables()); - if (imageData.SdkOS.StartsWith(OS.Alpine) || !DockerHelper.IsLinuxContainerModeEnabled) - { - variables.Add(new EnvironmentVariableInfo("ASPNETCORE_URLS", string.Empty)); - } - if (imageData.SdkOS.StartsWith(OS.Alpine)) { variables.Add(new EnvironmentVariableInfo("DOTNET_SYSTEM_GLOBALIZATION_INVARIANT", "false")); diff --git a/tests/performance/ImageSize.nightly.linux.json b/tests/performance/ImageSize.nightly.linux.json index 280ce593ed..b0632b73e0 100644 --- a/tests/performance/ImageSize.nightly.linux.json +++ b/tests/performance/ImageSize.nightly.linux.json @@ -29,7 +29,19 @@ "src/runtime-deps/7.0/cbl-mariner2.0-distroless/arm64v8": 22586819, "src/runtime-deps/8.0/bookworm-slim/amd64": 122238983, "src/runtime-deps/8.0/bookworm-slim/arm32v7": 123525810, - "src/runtime-deps/8.0/bookworm-slim/arm64v8": 144762223 + "src/runtime-deps/8.0/bookworm-slim/arm64v8": 144762223, + "src/runtime-deps/8.0/alpine3.17/amd64": 12127262, + "src/runtime-deps/8.0/alpine3.17/arm32v7": 9518049, + "src/runtime-deps/8.0/alpine3.17/arm64v8": 13355406, + "src/runtime-deps/8.0/jammy/amd64": 118850628, + "src/runtime-deps/8.0/jammy/arm32v7": 92396848, + "src/runtime-deps/8.0/jammy/arm64v8": 109539947, + "src/runtime-deps/8.0/jammy-chiseled/amd64": 12935991, + "src/runtime-deps/8.0/jammy-chiseled/arm64v8": 10176580, + "src/runtime-deps/8.0/cbl-mariner2.0/amd64": 107608523, + "src/runtime-deps/8.0/cbl-mariner2.0/arm64v8": 101990930, + "src/runtime-deps/8.0/cbl-mariner2.0-distroless/amd64": 25570883, + "src/runtime-deps/8.0/cbl-mariner2.0-distroless/arm64v8": 22586819 }, "dotnet/nightly/runtime": { "src/runtime/6.0/bullseye-slim/amd64": 187876947,