david/net-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity
net-base/README.md
David Claeys b5a7c42226 update usage example
2025-04-03 16:41:29 +02:00

97 lines
6.8 KiB
Markdown
Raw Blame History

# net-base
Base docker file that allows you to deploy .NET wit ease.
Microsoft makes some images available to deploy .NET applications in Docker.
However in order to use them, there is need for some tweaking.
This image is based on the *mcr.microsoft.com/dotnet/aspnet* image, but includes these tweaks.
Among other things these tweaks are included :
- automatic generation of certificate for the web server
- disable telemetry
- inclusion of tzdata for time setup
## Docker image
### Usage
Since this is just a base image, some additional setup is needed.
The following is just an example of how your Dockerfile could look like.
```sh
# Password for the certificate
# this image contains the entire .NET SDK and is ideal for creation the build
FROM mcr.microsoft.com/dotnet/sdk:9.0-alpine-amd64 AS build-env
WORKDIR /App
COPY . ./
# Restore dependencies for your application
RUN dotnet restore
# Build your application
RUN dotnet publish test.csproj --no-restore --self-contained false -c Release -o out /p:UseAppHost=false
FROM git.claeyscloud.com/david/net-base:latest
WORKDIR /App
# copy build files from build-stage
COPY --from=build-env /App/out .
# change ownership of files to the app user
RUN chown -R app:app /App/
# entrypoint for image
ENTRYPOINT ["dotnet", "test.dll"]
```
### Environment Variables
| Variable | Description | Default |
|-----------------------------------------------------|-------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|
| ASPNETCORE_Kestrel__Certificates__Default__Path | The path containing the server certificate | /usr/local/share/ca-certificates/aspnetapp.crt |
| ASPNETCORE_Kestrel__Certificates__Default__KeyPath | The path containing the key for the server certificate | /usr/local/share/ca-certificates/aspnetapp.key |
| ASPNETCORE_Kestrel__Certificates__Default__Password | The password for required for the server key | N/A (generated at build time) |
| CERTIFICATES_DIRECTORY | The directory where the certificate files are stored for the web server | /usr/local/share/ca-certificates |
| ASPNETCORE_URLS | Specifies at which urls and ports the Kestrel server should listen | http://+:80;https://+:443 |
| DOTNET_CLI_TELEMETRY_OPTOUT | Disables telemetry | 1 |
| TZ | Time zone ([list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List)) | Europe/Brussels | |
### Build arguments
These are the most important build arguments. Most of them are optional, meaning you can tweak them if you so desire.
However the *CERT_PASSWORD* argument is required, as it's necesarry in order to build a working image.
You can build the image yourself like this
```sh
docker build --build-arg CERT_PASSWORD=supersecretpassword . -t net-base
```
| Argument | Description | Default |
|-----------------------------------------------------|-------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|
| CERT_PASSWORD | The password for the generated certificate | N/A **(required)** |
| DOTNET_SDK_VERSION | The [SDK](https://mcr.microsoft.com/en-us/artifact/mar/dotnet/sdk/tags) version used to generate the development certificate | 9.0.202 |
| DOTNET_RUNTIME_VERSION | The [runtime](https://mcr.microsoft.com/en-us/artifact/mar/dotnet/aspnet/tags) version used as a base | 9.0.3 |
| ALPINE_VERSION | The version of [alpine linux](https://www.alpinelinux.org/) used as a base <br/> Currently you can choose between `3.20` or `3.21` | 3.21 |
## Security implications
### Webserver and certificates
This images uses the system provided by Microsoft to generate a development certificate and uses the [Kestrel](https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/?view=aspnetcore-9.0&tabs=windows) webserver.<br/>
In previous .NET versions it was not recommended to expose Kestrel directly to the internet, now Microsoft claims you can do that if you want so.
However you never should use the included development certificate included in this image when doing so.<br/>
The certificate included by default (generated through the _dotnet dev-certs_ command) is not really suited for production environments.
If you want to directly expose the Kestrel webserver use the following environment variables to properly setup a certificate :
- **ASPNETCORE_Kestrel__Certificates__Default__Path** (the path to the certificate key)
- **ASPNETCORE_Kestrel__Certificates__Default__KeyPath** (the path to the certificate)
- **ASPNETCORE_Kestrel__Certificates__Default__Password** (the password for the key file)
In practice it's much easier to expose the server through a proxy to the public (hence the recommended method).
Depending on your use-case you event might consider to use docker networking in order to accomplish proper isolation.
### Included certificate
The included certificate is generated through the _dotnet dev-certs_ command. This is a very convenient and suitable way to generate development certificates through the dotnet SDK.
The password used to generate the certificate is randomly generated through the `openssl rand -base64 12` at build time.
The build agent used for the build is hosted on my own infrastructure but I don't have any access to it (neither do I intend to do so).<br/>
However if you feel uncomfortable with this fact, feel free to build the image yourself.
Reference in New Issue View Git Blame Copy Permalink