61 lines
4.3 KiB
Markdown
61 lines
4.3 KiB
Markdown
# net-base
|
|
|
|
Base docker file that allows you to deploy .NET wit ease.
|
|
Microsoft makes some images available to deploy .NET applications in Docker.
|
|
However in order to use them, there is need for some tweaking.
|
|
|
|
This image is based on the *mcr.microsoft.com/dotnet/aspnet* image, but includes these tweaks.
|
|
Among other things these tweaks are included :
|
|
- automatic generation of certificate for the web server
|
|
- disable telemetry
|
|
- inclusion of tzdata for time setup
|
|
|
|
|
|
## Docker image
|
|
|
|
### Environment Variables
|
|
|
|
| Variable | Description | Default |
|
|
|-----------------------------------------------------|-------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|
|
|
| ASPNETCORE_Kestrel__Certificates__Default__Path | The path containing the server certificate | /usr/local/share/ca-certificates/aspnetapp.crt |
|
|
| ASPNETCORE_Kestrel__Certificates__Default__KeyPath | The path containing the key for the server certificate | /usr/local/share/ca-certificates/aspnetapp.key |
|
|
| ASPNETCORE_Kestrel__Certificates__Default__Password | The password for required for the server key | N/A (generated at build time) |
|
|
| CERTIFICATES_DIRECTORY | The directory where the certificate files are stored for the web server | /usr/local/share/ca-certificates |
|
|
| ASPNETCORE_URLS | Specifies at which urls and ports the Kestrel server should listen | http://+:80;https://+:443 |
|
|
| DOTNET_CLI_TELEMETRY_OPTOUT | Disables telemetry | 1 |
|
|
| TZ | Time zone ([list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List)) | Europe/Brussels | |
|
|
|
|
### Usage
|
|
|
|
Since this is just a base image, some additional setup is needed.
|
|
The following is just an example of how your Dockerfile could look like.
|
|
|
|
``
|
|
# Password for the certificate
|
|
# this image contains the entire .NET SDK and is ideal for creation the build
|
|
FROM mcr.microsoft.com/dotnet/sdk:8.0-alpine-amd64 AS build-env
|
|
WORKDIR /App
|
|
COPY . ./
|
|
# Restore dependencies for your application
|
|
RUN dotnet restore
|
|
# Build your application
|
|
RUN dotnet publish test.csproj --no-restore --self-contained false -c Release -o out /p:UseAppHost=false
|
|
|
|
FROM git.claeyscloud.com/david/net-base:latest
|
|
WORKDIR /App
|
|
# copy build files from build-stage
|
|
COPY --from=build-env /App/out .
|
|
# entrypoint for image
|
|
ENTRYPOINT ["dotnet", "test.dll"]
|
|
``
|
|
|
|
### Security implications
|
|
|
|
This images uses the system provided by Microsoft to generate a development certificate and uses the [Kestrel](https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/?view=aspnetcore-9.0&tabs=windows) webserver.
|
|
In previous .NET versions it was not recommended to expose Kestrel directly to the internet. Now Microsoft claims you can do that.
|
|
However you never should use the included development certificate if you want to do that.
|
|
|
|
If you want to expose the Kestrel server you should use the **ASPNETCORE_Kestrel__Certificates__Default__Path**, **ASPNETCORE_Kestrel__Certificates__Default__KeyPath** and **ASPNETCORE_Kestrel__Certificates__Default__Password** variables to correclty setup a certificate. The _dotnet dev-certs_ command is not really suited for production environments.
|
|
|
|
In practice it's much easier to expose the server through a proxy to the public (hence the recommended method).
|
|
Depending on your use-case you event might consider to use docker networking in order to accomplish proper isolation. |