Closed solidcloudio closed 1 year ago
Was able to repro this, investigating now... might be related to https://github.com/dotnet/dotnet-docker/issues/4803
Ok, the issue is that when installing the credential provider, it first elevates via USER ContainerAdministrator
which only installs the credential provider as ContainerAdministrator
so the build running as ContainerUser
doesn't have access to use the provider to give credentials.
Will come up with a proper fix here... assuming this used to work, but aside from changes to the folder structure and permissions in the base image don't see how this could ever work.
Have few workarounds here until this can be fixed and the sample updated (note this issue only exists on Windows Nano Server containers as it runs as ContainerUser
by default):
Move the USER ContainerUser
instruction after the RUN dotnet ...
instructions. This runs the build as ContainerAdministrator
which will be able to see and use the installed credential provider. This may or may not be desirable.
Use the following docker instructions to grant the additional permissions required to run the credential provider script as ContainerUser
. This also may not be desirable.
# Grant BUILTIN\Users access to read & delete from the TEMP directory
USER ContainerAdministrator
RUN & icacls C:\Windows\Temp\ /grant *S-1-5-32-545:'(OI)(CI)(RD,DE,DC)'
USER ContainerUser
# Install the cred provider
WORKDIR /Windows/Temp
RUN Invoke-WebRequest https://raw.githubusercontent.com/microsoft/artifacts-credprovider/master/helpers/installcredprovider.ps1 -OutFile installcredprovider.ps1; `
.\installcredprovider.ps1; `
del installcredprovider.ps1
Thanks for the follow-up, I was thinking about that. I read somewhere else about a similar issue when switching user contexts. I ended up just ditching the multi-stage build. The main build script is building it anyways, why build it twice? I can build publish with the main build and just use the docker image as the runtime wrapper. If I copy the publish output from the primary machine and then launch docker with the context refencing the publish output folder, I don't have to build it in docker at all.
Regardless of what I try here I get: error NU1301: Unable to load the service index for source. I'm able to get this to run on a different server that uses linux containers, but on a Windows build machine I get a failure to connect to the feed.
I'm using this in the context of Azure Devops and a Multi-Stage Docker build in Windows I've defined a pipeline variable to store my PAT token. The relevant build section:
My nuget.config
Then in my dockerfile:
This just fails with:
Is there some way to troubleshoot the login? The error message is pretty generic.: error NU1301: Unable to load the service index for source