Azure / azure-functions-docker

This repo contains the base Docker images for working with azure functions
MIT License
266 stars 118 forks source link

Alpine non root user #118

Open richardjharding opened 5 years ago

richardjharding commented 5 years ago

I'm using the Alpine dotnet images and our vulnerability checking tool (Twistlock) is picking up a few out of date packages which I think I can fix but one issue is its suggesting that the image should be created with a non root user Is any work underway to support this? I'm able to get an asp.net core app on say mcr.microsoft.com/dotnet/core/runtime-deps:2.2.4-alpine3.9 to run as non root but when I try with the functions runtime I get a number of permission errors such as

Unhandled Exception: System.AggregateException: One or more errors occurred. (Permission denied) ---> System.Net.Sockets.SocketException: Permission denied
   at System.Net.Sockets.Socket.UpdateStatusAfterSocketErrorAndThrowException(SocketError error, String callerName)
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.SocketTransport.BindAsync()
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.<>c__DisplayClass21_0`1.<<StartAsync>g__OnBind|0>d.MoveNext()

this is after setting permissions for the new user on the following

/azure-functions-host
/FuncExtensionBundles

any ideas what I'm missing?

richardjharding commented 5 years ago

Ok so this looks like an issue trying to bind to a port less than 1024 and is expected The only way I could see to specify an alternative port for the host to listen on was to set the following env var ENV ASPNETCORE_URLS='http://+:5000' Is there an alternative settings file that would also work?

owenneil commented 5 years ago

I tried the same thing, I was able to get a little further. I added this: RUN apk add --no-cache libcap

and

RUN setcap 'cap_net_bind_service=+ep' /azure-functions-host/Microsoft.Azure.WebJobs.Script.WebHost

Unfortunately, now I get "Unhandled Exception: System.InvalidOperationException: Host.DestinationHostUrl must be specified either as an environment variable or as a command-line switch." I'm not quite sure why.