Open sander1095 opened 1 year ago
sander1095
commented
1 year ago I see that https://learn.microsoft.com/en-us/dotnet/core/compatibility/containers/8.0/app-user already talks about the new app user in a dockerfile. Great! Perhaps the current page could link to this this app page because they are connected to each other :)
gewarren
commented
1 year ago @mthalman I added two see also links to the breaking change. Do you want me to make any changes to the recommended actions section?
sander1095
commented
1 year ago The changes to the recommened actions sections could be the following:
app user so your app runs in a non-root context which is more secure.
Frameworks like next.js also have dockerfiles that use alpine and non-root users to be fully secure. I see these 2 breaking changes in .NET 8 as a way to move towards that model. Great! BUt it needs more information to prevent lots of issues in .NET 8 with users reporting issues with linux's rights
mthalman
commented
1 year ago cc @richlander
mthalman
commented
1 year ago We have two good blog posts on this topic:
We can certainly add these as to the "see also" section for these breaking change docs. But those are just breaking changes docs and not would I consider to be a central location to discover this information. @gewarren - Is there an additional, more informational, doc on containers where we could add these links?
sander1095
commented
1 year ago I completely agree that this information should NOT be featured in the breaking changes docs. And i'm glad to see these existing blog posts, and would love to have them linked in the "see also" section.
I do want to stress that I disagree with the current "recommended" action to simply change the port back. That's wrong, and not what Microsoft recommends to its users. Changing the port to 8080 makes apps potentially more secure if people also use the new app user, and so this combination should be the ultimate recommendation :).
sander1095
commented
1 year ago The only other suggestion i would have is that these blogposts MUST be part of the actual dotnet/docker documentation on learn.microsoft.com. These blog posts are essential for a secure web application, something that is shipped by default by other products like next.js. Therefore it should be part of the actual documentation set and not a blogpost :)
gewarren
commented
1 year ago Tagging @IEvangelist to update the containers documentation in this general section of the docs: https://learn.microsoft.com/en-us/dotnet/core/docker/publish-as-container.
sander1095
commented
1 year ago Thank you! I'm excited to see these updates. Feel free to tag me in any PR's for these doc updates, I've learned a lot recently about securing containers and could provide some possible feedback!
One thing to add: if the official docs get updated, I think the "see also" section on this page should also get updated to point to the official docs
sander1095
commented
1 year ago This topic has touched several points, however we haven't discussed this one yet from my previous comment:
I do want to stress that I disagree with the current "recommended" action to simply change the port back. That's wrong, and not what Microsoft recommends to its users. Changing the port to 8080 makes apps potentially more secure if people also use the new app user, and so this combination should be the ultimate recommendation :).
I hope that comment clarifies my intent. If not, I'd love to answer any questions or help out in other ways! 😊
adegeo
commented
2 months ago I just discovered this issue, which seems to have been lost. Retagging interested parties:
@IEvangelist @mthalman
mthalman
commented
2 months ago There doesn't yet exist documentation on learn.microsoft.com for using a non-root user in containers. So we really don't have anything to link to for this recommended action unless it's going to be @richlander's blog post: https://devblogs.microsoft.com/dotnet/securing-containers-with-rootless. Is it acceptable to just link to that for now?
gewarren
commented
2 months ago There doesn't yet exist documentation on learn.microsoft.com for using a non-root user in containers. So we really don't have anything to link to for this recommended action unless it's going to be @richlander's blog post: https://devblogs.microsoft.com/dotnet/securing-containers-with-rootless. Is it acceptable to just link to that for now?
Fine with me. Marking this as up for grabs.
Moving from port 80 to port 8080 makes it easier to update your dockerfile (and possible your kubernetes deployments if you use them) to run in a non-root environment, which improves security.
However, the recommended actions don't recommend this. If Microsoft recommends using port 8080 , why also not recommend going all the way and make your container non-root?
There are some gotcha's, like if you have configured ASP.NET Core to write buffers to a temp directory that the user running the app doesn't have rights for, but this could be documented somewhere.
Someone wrote this wonderful blog post detailing how to increase the security of .NET on kubernetes. This covers running on alpine and in a non-root context. I think Microsoft should write official documentation about non-root users, and perhaps link to this blog post if the user wants to learn more about alpine:
https://techcommunity.microsoft.com/t5/azure-developer-community-blog/hardening-an-asp-net-container-running-on-kubernetes/ba-p/2542224
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.