search

Azure / azure-functions-docker

This repo contains the base Docker images for working with azure functions
MIT License
258 stars 117 forks source link

Non-Root Docker Image with Authentication Enabled (Microsoft Provider) #1063

Open webflow-entertainment opened 5 months ago

webflow-entertainment commented 5 months ago

I have an issue with running a function in a Docker image based on Node and Go (Custom Handler). We have also enabled authentication with Microsoft as the provider. Basically, everything works until I switch the function image to non-root. I receive a Bad Request (403) and cannot swap the function. Does anyone have an idea?

FROM mcr.microsoft.com/azure-functions/node:4.33.1 

ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
    AzureFunctionsJobHost__Logging__Console__IsEnabled=true \
    ASPNETCORE_URLS=http://+:8080 \
    NODE_OPTIONS=--max-http-header-size=32768 \
    HOME=/home \
    FUNCTIONS_WORKER_RUNTIME=node \
    DOTNET_USE_POLLING_FILE_WATCHER=true \
    HOST_VERSION=4.33.0 \
    ASPNETCORE_CONTENTROOT=/azure-functions-host

COPY functions/ /home/site/wwwroot/

RUN groupadd nonroot -g 2000 && \
    useradd -r -M -s /sbin/nologin -g nonroot nonroot -u 1000 && \
    chown -R nonroot:nonroot /azure-functions-host && \
    chown -R nonroot:nonroot /FuncExtensionBundles && \
    chown -R nonroot:nonroot /home/site/wwwroot

USER nonroot
EXPOSE 8080

CMD [ "/azure-functions-host/Microsoft.Azure.WebJobs.Script.WebHost" ]

I've already tried the inputs from this article https://github.com/Azure/azure-functions-docker/issues/424#issuecomment-2051274484 but it doesn't help.

Thanks!

habnux commented 5 months ago

I am also interested in a solution to this problem. I wonder why microsoft does not follow security best practices here.

klemen-df commented 3 months ago

Hi, any success here?

So, I have this (runing azure function on k8s/aks) and it's working:

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS builder
WORKDIR /build
COPY ./ ./
RUN dotnet publish --configuration Release --output /dist/
RUN dotnet test

FROM mcr.microsoft.com/azure-functions/dotnet:4
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
    ASPNETCORE_URLS=http://+:5000 \
    DOTNET_EnableDiagnostics=0
COPY --from=builder /dist/ /home/site/wwwroot
EXPOSE 5000

but when I convert it to non-root it stops working

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS builder
WORKDIR /build
COPY ./ ./
RUN dotnet publish --configuration Release --output /dist/
RUN dotnet test

FROM mcr.microsoft.com/azure-functions/dotnet:4
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
    ASPNETCORE_URLS=http://+:5000 \
    DOTNET_EnableDiagnostics=0
COPY --from=builder /dist/ /home/site/wwwroot

RUN apt-get update && apt-get install -y procps
RUN groupadd nonroot -g 2000 && \
    useradd -r -M -s /sbin/nologin -g nonroot -c nonroot nonroot -u 1000
RUN chown -R nonroot:nonroot /azure-functions-host

USER nonroot
EXPOSE 5000

The service starts but there is no host.startup / warmup.extensions...only this

Hosting environment: Production
Content root path: /azure-functions-host
Now listening on:
http://[::]:5000/
Application started. Press Ctrl+C to shut down.

So, the point is that the service/container doesn't crash when doing non-root but it somehow doesn't load the app.

Any suggestions what else to try?