dotnet dockerfile memo

# dotnet dockerfile memo dotnet dockerfile 撰寫筆記 ## tls1.0 support ### bullseye-slim (debain 11) :::info dotnet/aspnet:{version} 版本的 dockerfile 調整方式與此相同，因為 os 都是 debain ::: ```dockerfile FROM mcr.microsoft.com/dotnet/aspnet:$dotnetVersion-bullseye-slim AS base RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf RUN sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /etc/ssl/openssl.cnf RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf RUN sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /usr/lib/ssl/openssl.cnf ``` ### bookwarm-slim (debain 12) :::info - dotnet/aspnet:{version} 版本的 dockerfile 調整方式與此相同，因為 os 都是 debain - 此部分適用於 dotnet 8 以上 - 如果加入以下命令後仍無法存取資料庫或部分 tls1.0 的服務，可以將 `DEFAULT:@SECLEVEL=1` 的部分改為 `DEFAULT:@SECLEVEL=0` ::: ```dockerfile FROM mcr.microsoft.com/dotnet/aspnet:$dotnetVersion-bullseye-slim AS base RUN sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/' /etc/ssl/openssl.cnf RUN sed -i '1i openssl_conf = default_conf' /etc/ssl/openssl.cnf && \ echo "\n[ default_conf ]\nssl_conf = ssl_sect\n[ssl_sect]\nsystem_default = system_default_sect\n[system_default_sect]\nMinProtocol = TLSv1\nCipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf ``` ### alpine :::info 在我的網路環境中，alpine 的 sdk image 也需要加上相同設定才可以連線到私有的 nuget server ::: ```dockerfile FROM mcr.microsoft.com/dotnet/aspnet:$dotnetVersion-alpine AS base RUN sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/' /etc/ssl/openssl.cnf RUN sed -i '1i openssl_conf = default_conf' /etc/ssl/openssl.cnf && \ echo -e "\n[ default_conf ]\nssl_conf = ssl_sect\n[ssl_sect]\nsystem_default = system_default_sect\n[system_default_sect]\nMinProtocol = TLSv1\nCipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf # Build FROM mcr.microsoft.com/dotnet/sdk:$dotnetVersion-alpine AS build RUN sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/' /etc/ssl/openssl.cnf RUN sed -i '1i openssl_conf = default_conf' /etc/ssl/openssl.cnf && \ echo -e "\n[ default_conf ]\nssl_conf = ssl_sect\n[ssl_sect]\nsystem_default = system_default_sect\n[system_default_sect]\nMinProtocol = TLSv1\nCipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf ``` ## use specific nuget server ```dockerfile FROM mcr.microsoft.com/dotnet/sdk:7.0-bullseye-slim AS build WORKDIR /src COPY ["WebApplication1/WebApplication1.csproj", "WebApplication1/"] RUN dotnet restore "WebApplication1/WebApplication1.csproj" -s https://your-nuget-server.domain.com COPY . . WORKDIR "/src/WebApplication1" RUN dotnet build "WebApplication1.csproj" -c Release -o /app/build FROM build AS publish RUN dotnet publish "WebApplication1.csproj" -c Release -o /app/publish /p:UseAppHost=false ``` ## build specific version ```dockerfile FROM mcr.microsoft.com/dotnet/sdk:7.0-bullseye-slim AS build WORKDIR /src COPY ["WebApplication1/WebApplication1.csproj", "WebApplication1/"] RUN dotnet restore "WebApplication1/WebApplication1.csproj" COPY . . WORKDIR "/src/WebApplication1" RUN dotnet build "WebApplication1.csproj" -c Release -o /app/build/net6 -f net6.0 RUN dotnet build "WebApplication1.csproj" -c Release -o /app/build/net7 -f net7.0 FROM build AS publish RUN dotnet publish "WebApplication1.csproj" -c Release -o /app/publish/net6 /p:UseAppHost=false -f net6.0 RUN dotnet publish "WebApplication1.csproj" -c Release -o /app/publish/net7 /p:UseAppHost=false -f net7.0 ``` ## 建置階段使用 alpine 來降低建置機器的空間用量 ### 利用建置變數控制 :::info - 通常用於想要動態產生多種不同 OS 與 .net 版本的容器時 - [dotnet build 參考文件](https://learn.microsoft.com/zh-tw/dotnet/core/tools/dotnet-build) - [dotnet publish 參考文件](https://learn.microsoft.com/zh-tw/dotnet/core/tools/dotnet-publish) - [os rid 參考文件](https://learn.microsoft.com/zh-tw/dotnet/core/rid-catalog) - [os type list (rid list)](https://github.com/dotnet/sdk/blob/main/src/Layout/redist/PortableRuntimeIdentifierGraph.json) ::: ```dockerfile FROM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS build ARG dotnetVersion=8.0 ARG releaseOsType=linux WORKDIR /src COPY ["OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins/OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj", "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins/"] RUN dotnet restore "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins/OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \ COPY . . WORKDIR "/src/OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins" RUN dotnet build "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \ -c Release \ -o /app/build \ -f net${dotnetVersion} \ --os ${releaseOsType} \ --arch x64 FROM build AS publish ARG dotnetVersion=8.0 ARG releaseOsType=linux RUN dotnet publish "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \ -c Release \ -o /app/publish \ -f net${dotnetVersion} \ --os ${releaseOsType} \ --arch x64 ``` ### 直接指定 :::info 通常用於明確知道 base image 是哪個 OS 與 .net 版本時 ::: 1. 當輸出是 8.0 的 debian 12 (8.0/8.0-bookworm-slim) 或是 ubuntu(jammy) 時 ```dockerfile RUN dotnet build "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \ -c Release \ -o /app/build \ -f net8.0 \ --os linux \ --arch x64 RUN dotnet publish "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \ -c Release \ -o /app/publish \ -f net8.0 \ --os linux \ --arch x64 ``` 2. 當輸出是 8.0-alpine 時 ```dockerfile RUN dotnet build "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \ -c Release \ -o /app/build \ -f net8.0 \ --os linux-musl \ --arch x64 RUN dotnet publish "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \ -c Release \ -o /app/publish \ -f net8.0 \ --os linux-musl \ --arch x64 ``` ## OpenSSL 3.x TLS 最低支援版本設定由於 bookworm-slim, jammy, alpine 的 OpenSSL 版本都使用 OpenSSL 3.x，如果想在 dockerfile 中調整 TLS 最低版本的話，要改用以下命令 :::info 如果加入以下命令後仍無法存取資料庫或部分 tls1.0 的服務，可以將 `DEFAULT:@SECLEVEL=1` 的部分改為 `DEFAULT:@SECLEVEL=0` ::: ```dockerfile RUN sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/' /etc/ssl/openssl.cnf RUN sed -i '1i openssl_conf = default_conf' /etc/ssl/openssl.cnf && \ echo "\n[ default_conf ]\nssl_conf = ssl_sect\n[ssl_sect]\nsystem_default = system_default_sect\n[system_default_sect]\nMinProtocol = TLSv1\nCipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf ```