Open webflow-entertainment opened 5 months ago
I am also interested in a solution to this problem. I wonder why microsoft does not follow security best practices here.
Hi, any success here?
So, I have this (runing azure function on k8s/aks) and it's working:
FROM mcr.microsoft.com/dotnet/sdk:6.0 AS builder
WORKDIR /build
COPY ./ ./
RUN dotnet publish --configuration Release --output /dist/
RUN dotnet test
FROM mcr.microsoft.com/azure-functions/dotnet:4
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
ASPNETCORE_URLS=http://+:5000 \
DOTNET_EnableDiagnostics=0
COPY --from=builder /dist/ /home/site/wwwroot
EXPOSE 5000
but when I convert it to non-root it stops working
FROM mcr.microsoft.com/dotnet/sdk:6.0 AS builder
WORKDIR /build
COPY ./ ./
RUN dotnet publish --configuration Release --output /dist/
RUN dotnet test
FROM mcr.microsoft.com/azure-functions/dotnet:4
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
ASPNETCORE_URLS=http://+:5000 \
DOTNET_EnableDiagnostics=0
COPY --from=builder /dist/ /home/site/wwwroot
RUN apt-get update && apt-get install -y procps
RUN groupadd nonroot -g 2000 && \
useradd -r -M -s /sbin/nologin -g nonroot -c nonroot nonroot -u 1000
RUN chown -R nonroot:nonroot /azure-functions-host
USER nonroot
EXPOSE 5000
The service starts but there is no host.startup / warmup.extensions...only this
Hosting environment: Production
Content root path: /azure-functions-host
Now listening on:
http://[::]:5000/
Application started. Press Ctrl+C to shut down.
So, the point is that the service/container doesn't crash when doing non-root but it somehow doesn't load the app.
Any suggestions what else to try?
I have an issue with running a function in a Docker image based on Node and Go (Custom Handler). We have also enabled authentication with Microsoft as the provider. Basically, everything works until I switch the function image to non-root. I receive a Bad Request (403) and cannot swap the function. Does anyone have an idea?
I've already tried the inputs from this article https://github.com/Azure/azure-functions-docker/issues/424#issuecomment-2051274484 but it doesn't help.
Thanks!