Use ASPNETCORE_HTTP_PORTS and set APP_UID.

8.0/build/Dockerfile.rhel8

@@ -59,13 +59,13 @@ RUN /usr/libexec/s2i/container-tool build-tool
 # directories (such as ~/.pki/nssdb) there. These will be owned by root and can
 # cause actions that work on all of /opt/app-root to fail. So we need to fix
 # the permissions on those too.
-RUN chown -R 1001:0 /opt/app-root && fix-permissions /opt/app-root
+RUN chown -R $APP_UID:0 /opt/app-root && fix-permissions /opt/app-root
 
 # Needed for the `dotnet watch` to detect changes in a container
 ENV  DOTNET_USE_POLLING_FILE_WATCHER=true
 
-# Run container by default as user with id 1001 (default)
-USER 1001
+# Run container rootless.
+USER $APP_UID
 
 # Set the default CMD to start a shell.
 CMD /bin/bash

8.0/build/README.md

@@ -155,10 +155,9 @@ a `.s2i/environment` file inside your source code repository.
     `Release` or `Debug`.  This is passed to the `dotnet publish` invocation.
     Defaults to `Release`.
 
-* **ASPNETCORE_URLS**
+* **ASPNETCORE_HTTP_PORTS**
 
-    This variable is set to `http://*:8080` to configure ASP.NET Core to use the
-    port exposed by the image.
+    This variable is set to `8080` to configure ASP.NET Core to use the port exposed by the image.
 
 * **HTTP_PROXY, HTTPS_PROXY**
 

8.0/runtime/Dockerfile.rhel8

@@ -13,9 +13,15 @@ ENV HOME=/opt/app-root \
     DOTNET_DEFAULT_CMD=default-cmd.sh \
     DOTNET_CORE_VERSION=8.0 \
     DOTNET_FRAMEWORK=net8.0 \
-# Microsoft's images set this to enable detecting when an app is running in a container.
+    # Microsoft's images set this to enable detecting when an app is running in a container.
     DOTNET_RUNNING_IN_CONTAINER=true \
-    DOTNET_SSL_CERT_DIR=/opt/app-root/ssl_dir
+    DOTNET_SSL_CERT_DIR=/opt/app-root/ssl_dir \
+    # Don't download/extract docs for nuget packages
+    NUGET_XMLDOC_MODE=skip \
+    # Configure ASP.NET Core to use the exposed port
+    ASPNETCORE_HTTP_PORTS=8080 \
+    # Like Microsoft images, set APP_UID to the UID of the non-root user.
+    APP_UID=1001
 
 LABEL io.k8s.description="Platform for running .NET 8 applications" \
       io.k8s.display-name=".NET 8" \
@@ -32,13 +38,6 @@ LABEL name="ubi8/dotnet-80-runtime" \
       version="8.0" \
       release="1"
 
-# Don't download/extract docs for nuget packages
-ENV NUGET_XMLDOC_MODE=skip
-
-## By default, ASP.NET Core runs on port 5000. We configure it to match
-## the container port.
-ENV ASPNETCORE_URLS=http://*:8080
-
 # Each language image can have 'contrib' a directory with extra files needed to
 # run and build the applications.
 COPY ./contrib/ /opt/app-root
@@ -73,7 +72,7 @@ RUN [ -z "${DOTNET_TARBALL}" ] || ( \
 
 # Add default user
 RUN mkdir -p ${DOTNET_APP_PATH} ${DOTNET_DATA_PATH} && \
-    useradd -u 1001 -r -g 0 -d ${HOME} -s /sbin/nologin \
+    useradd -u $APP_UID -r -g 0 -d ${HOME} -s /sbin/nologin \
       -c "Default Application User" default
 
 WORKDIR ${DOTNET_APP_PATH}
@@ -83,9 +82,9 @@ CMD "./${DOTNET_DEFAULT_CMD}"
 # In order to drop the root user, we have to make some directories world
 # writable as OpenShift default security model is to run the container under
 # random UID.
-RUN chown -R 1001:0 /opt/app-root && fix-permissions /opt/app-root
+RUN chown -R $APP_UID:0 /opt/app-root && fix-permissions /opt/app-root
 
 ENTRYPOINT [ "container-entrypoint" ]
 
-# Run container by default as user with id 1001 (default)
-USER 1001
+# Run container rootless.
+USER $APP_UID

8.0/runtime/README.md

@@ -69,10 +69,9 @@ Environment variables
 The following variables are set so they can be used from scripts.
 They must not to be overridden.
 
-* **ASPNETCORE_URLS**
+* **ASPNETCORE_HTTP_PORTS**
 
-    This variable is set to `http://*:8080` to configure ASP.NET Core to use the
-    port exposed by the image.
+    This variable is set to `8080` to configure ASP.NET Core to use the port exposed by the image.
 
 * **DOTNET_APP_PATH,DOTNET_DEFAULT_CMD,DOTNET_DATA_PATH**
 
@@ -92,3 +91,9 @@ They must not to be overridden.
 * **DOTNET_RUNNING_IN_CONTAINER**
 
     Like Microsoft images, this is set to `true` and can be used to detect the application is built/running in a container.
+
+* **APP_UID**
+
+    Like Microsoft images, this is set to the rootless user's uid to enable switching to that user
+    in a Dockerfile using the the instruction: `USER $APP_UID`.
+.

8.0/runtime/test/aspnet-hello-world/Program.cs

@@ -1,18 +1,6 @@
-using Microsoft.AspNetCore.Hosting;
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Http;
+var builder = WebApplication.CreateBuilder(args);
+var app = builder.Build();
 
-namespace AspNetHelloWorld
-{
-    public class Program
-    {
-        public static void Main(string[] args)
-        {
-            new WebHostBuilder()
-                .UseKestrel()
-                .Configure(a => a.Run(c => c.Response.WriteAsync("Hello World!")))
-                .Build()
-                .Run();
-        }
-    }
-}
+app.MapGet("/", () => "Hello World!");
+
+app.Run();

8.0/runtime/test/aspnet-hello-world/aspnet-hello-world.csproj

@@ -1,5 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
 </Project>

8.0/runtime/test/run

@@ -117,8 +117,11 @@ test_timezones() {
 test_user() {
   test_start
 
-  # we run as user 'default'
+  # we run as user 'default' which has a uid of 1001.
   assert_equal $(docker_run $IMAGE_NAME "whoami")           "default"
+  assert_equal $(docker_run $IMAGE_NAME "id -u")            "1001"
+  # APP_UID is set to match the uid of the default user.
+  assert_equal $(docker_get_env $IMAGE_NAME APP_UID)        "1001"
   # root is 'root'
   assert_equal $(docker_run_as $IMAGE_NAME 0 "whoami")      "root"
 }
@@ -128,8 +131,8 @@ test_port() {
 
   # Port 8080 is exposed
   assert_equal $(docker_get_exposedports $IMAGE_NAME) '{"8080/tcp":{}}'
-  # The environment variable used by ASP.NET Core matches
-  assert_equal $(docker_get_env $IMAGE_NAME ASPNETCORE_URLS) "http://*:8080"
+  # The environment variable used by ASP.NET Core matches the exposed port.
+  assert_equal $(docker_get_env $IMAGE_NAME ASPNETCORE_HTTP_PORTS) "8080"
 }
 
 verify_aspnet_image_works() {