-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal on non-root container images #271
base: main
Are you sure you want to change the base?
Conversation
|
||
This little scenario also demonstrates why removing port `80` from the rootful images would be useful. We wouldn't have to redefine `ASPNETCORE_URLS` in order to switch between `root` and `app` for images that are rootful by default. That would be very nice. | ||
|
||
For clarity, the approach that was used to add the user to the `aspnetapp` image was just a proof-of-concept. The intent is to add this user in the `runtime-deps` images (or `runtime` for Windows). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the only mention of Windows in this doc. I think it deserves more clarity. Windows containers already have "root" and "non-root" users baked in. All the Windows container SKUs contain a ContainerAdministrator and ContainerUser user. By default, ContainerAdministrator is the default, except for Nano Server which sets ContainerUser as the default.
C:\>docker run --rm mcr.microsoft.com/windows/nanoserver:ltsc2022 cmd /c echo %"USERNAME%
ContainerUser
C:\>docker run --rm mcr.microsoft.com/windows/servercore:ltsc2022 cmd /c echo %"USERNAME%
ContainerAdministrator
C:\>docker run --rm mcr.microsoft.com/windows/server:ltsc2022 cmd /c echo %"USERNAME%
ContainerAdministrator
In addition, port 80 isn't restricted from being used when running as ContainerUser.
I think this deserved to be called out because the Linux/Windows environments aren't symmetrical in this aspect.
- .NET 7 | ||
- Add same non-root user in both rootful and non-root images | ||
- Expose same non-root ports -- `8080` and `8443` (for HTTPS) -- in both rootful and non-root images | ||
- Continue to expose port `80` in rootful images, for compatibility. | ||
- Transition `mcr.microsoft.com/dotnet/samples` to non-root images (which by definition means not exposing port `80`). | ||
- .NET 8 | ||
- Remove port `80` from rootful images. | ||
- Announce that all .NET images are turnkey non-root capable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@richlander - Since none of these changes happened for .NET 7, what's the plan for .NET 8. Do we want to continue a phased approach between .NET 8 and 9 or do everything in .NET 8?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we make these changes for Preview 1 or 2, then I think we can do everything at once and wait for feedback and then assess based on that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @lbussell
The following will improve security for users:
ASPNETCORE_URLS
) are constant across all image types.View rendered version