Proposal on non-root container images #271
Conversation
|
|
||
| This little scenario also demonstrates why removing port `80` from the rootful images would be useful. We wouldn't have to redefine `ASPNETCORE_URLS` in order to switch between `root` and `app` for images that are rootful by default. That would be very nice. | ||
|
|
||
| For clarity, the approach that was used to add the user to the `aspnetapp` image was just a proof-of-concept. The intent is to add this user in the `runtime-deps` images (or `runtime` for Windows). |
There was a problem hiding this comment.
This is the only mention of Windows in this doc. I think it deserves more clarity. Windows containers already have "root" and "non-root" users baked in. All the Windows container SKUs contain a ContainerAdministrator and ContainerUser user. By default, ContainerAdministrator is the default, except for Nano Server which sets ContainerUser as the default.
C:\>docker run --rm mcr.microsoft.com/windows/nanoserver:ltsc2022 cmd /c echo %"USERNAME%
ContainerUser
C:\>docker run --rm mcr.microsoft.com/windows/servercore:ltsc2022 cmd /c echo %"USERNAME%
ContainerAdministrator
C:\>docker run --rm mcr.microsoft.com/windows/server:ltsc2022 cmd /c echo %"USERNAME%
ContainerAdministrator
In addition, port 80 isn't restricted from being used when running as ContainerUser.
I think this deserved to be called out because the Linux/Windows environments aren't symmetrical in this aspect.
| - .NET 7 | ||
| - Add same non-root user in both rootful and non-root images | ||
| - Expose same non-root ports -- `8080` and `8443` (for HTTPS) -- in both rootful and non-root images | ||
| - Continue to expose port `80` in rootful images, for compatibility. | ||
| - Transition `mcr.microsoft.com/dotnet/samples` to non-root images (which by definition means not exposing port `80`). | ||
| - .NET 8 | ||
| - Remove port `80` from rootful images. | ||
| - Announce that all .NET images are turnkey non-root capable. |
There was a problem hiding this comment.
@richlander - Since none of these changes happened for .NET 7, what's the plan for .NET 8. Do we want to continue a phased approach between .NET 8 and 9 or do everything in .NET 8?
There was a problem hiding this comment.
If we make these changes for Preview 1 or 2, then I think we can do everything at once and wait for feedback and then assess based on that.
The following will improve security for users:
ASPNETCORE_URLS) are constant across all image types.View rendered version