Prior to .NET 8, containers were running as root by default, and starting with .NET 8, all of our Linux container images will contain non-root users. You'll be able to host .NET containers with a single line of code as a non-root user. This platform-level change will make your application more secure and make .NET one of the most secure developer ecosystems. This is a small change, but it has a big impact on defense-in-depth.
Understand the UIDs and GIDs in Docker containers
By default, the process in the container runs with root user privileges, and this root user is the same user as the root in the host machine. Doesn't that sound scary, because it means that once a process in a container has the proper chance, it can control everything on the host machine!
Reference:The hyperlink login is visible.
.NET 8 Docker image
There are two main changes to the .NET 8 Docker image, as follows:
- Image creates a new app account and group, and runs the app with the app account by default
- Switched to port 8080, it turned out to be port 80, since port 80 is a privileged port, root privileges are required (at least in some places)
.NET Docker image source code address:The hyperlink login is visible.
The dependencies are as follows:
aspnet:8.0-bookworm-slim -> dotnet/runtime-8.0.0-bookworm-slim-amd64 -> dotnet/runtime-deps-8.0.0-bookworm-slim-amd64 -> amd64/debian:bookworm-slim
dotnet/runtime-deps-8.0.0-bookworm-slim-amd64 looks like this:
As shown below:
Use the app account to enter the basic image, and the command is as follows:
Output the current user and environment variables, as shown in the following figure:
Reference:The hyperlink login is visible.
Dockerfile file
If you need to package your project into a Docker image, you need to create a new .NET 8 Docker container support, and the default Linux environment Dockerfile file configuration is as follows:
If you set the system timezone in the Dockerfile, the following code:
The Permission denied error may occur as follows:
4>F:\itsvse\Dockerfile : error CTC1014: #21 [final 3/3] RUN ln -snf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && echo Asia/Shanghai > /etc/timezone
4>F:\itsvse\Dockerfile : error CTC1014: #21 0.314 ln: failed to create symbolic link '/etc/localtime': Permission denied
4>F:\itsvse\Dockerfile : error CTC1014: #21 ERROR: process "/bin/sh -c ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone" did not complete successfully: exit code: 1
4>F:\itsvse\Dockerfile : error CTC1014: ------
4>F:\itsvse\Dockerfile : error CTC1014: > [final 3/3] RUN ln -snf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && echo Asia/Shanghai > /etc/timezone:
4>F:\itsvse\Dockerfile : error CTC1014: #21 0.314 ln: failed to create symbolic link '/etc/localtime': Permission denied
(End)
|
Posted on 12/23/2023 5:30:10 PM
|
|
|
|
Landlord|
Posted on 12/23/2023 5:31:55 PM
|
