- YuChia·Last edited by YuChia on Nov 15, 2023Linked with GitHubContributed by
Comments
Log in to edit or delete your comments and be notified of replies.
There is no commentSelect some text and then click Comment, or simply add a comment to this page from below to start a discussion.dotnet dockerfile memo
dotnet dockerfile 撰寫筆記
tls1.0 support
bullseye-slim (debain 11)
dotnet/aspnet:{version} 版本的 dockerfile 調整方式與此相同,因為 os 都是 debain
FROM mcr.microsoft.com/dotnet/aspnet:$dotnetVersion-bullseye-slim AS base
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf
RUN sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /etc/ssl/openssl.cnf
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf
RUN sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /usr/lib/ssl/openssl.cnf
bookwarm-slim (debain 12)
- dotnet/aspnet:{version} 版本的 dockerfile 調整方式與此相同,因為 os 都是 debain
- 此部分適用於 dotnet 8 以上
- 如果加入以下命令後仍無法存取資料庫或部分 tls1.0 的服務,可以將
DEFAULT:@SECLEVEL=1的部分改為DEFAULT:@SECLEVEL=0
FROM mcr.microsoft.com/dotnet/aspnet:$dotnetVersion-bullseye-slim AS base
RUN sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/' /etc/ssl/openssl.cnf
RUN sed -i '1i openssl_conf = default_conf' /etc/ssl/openssl.cnf && \
echo "\n[ default_conf ]\nssl_conf = ssl_sect\n[ssl_sect]\nsystem_default = system_default_sect\n[system_default_sect]\nMinProtocol = TLSv1\nCipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf
alpine
在我的網路環境中,alpine 的 sdk image 也需要加上相同設定才可以連線到私有的 nuget server
FROM mcr.microsoft.com/dotnet/aspnet:$dotnetVersion-alpine AS base
RUN sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/' /etc/ssl/openssl.cnf
RUN sed -i '1i openssl_conf = default_conf' /etc/ssl/openssl.cnf && \
echo -e "\n[ default_conf ]\nssl_conf = ssl_sect\n[ssl_sect]\nsystem_default = system_default_sect\n[system_default_sect]\nMinProtocol = TLSv1\nCipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf
# Build
FROM mcr.microsoft.com/dotnet/sdk:$dotnetVersion-alpine AS build
RUN sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/' /etc/ssl/openssl.cnf
RUN sed -i '1i openssl_conf = default_conf' /etc/ssl/openssl.cnf && \
echo -e "\n[ default_conf ]\nssl_conf = ssl_sect\n[ssl_sect]\nsystem_default = system_default_sect\n[system_default_sect]\nMinProtocol = TLSv1\nCipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf
use specific nuget server
FROM mcr.microsoft.com/dotnet/sdk:7.0-bullseye-slim AS build
WORKDIR /src
COPY ["WebApplication1/WebApplication1.csproj", "WebApplication1/"]
RUN dotnet restore "WebApplication1/WebApplication1.csproj" -s https://your-nuget-server.domain.com
COPY . .
WORKDIR "/src/WebApplication1"
RUN dotnet build "WebApplication1.csproj" -c Release -o /app/build
FROM build AS publish
RUN dotnet publish "WebApplication1.csproj" -c Release -o /app/publish /p:UseAppHost=false
build specific version
FROM mcr.microsoft.com/dotnet/sdk:7.0-bullseye-slim AS build
WORKDIR /src
COPY ["WebApplication1/WebApplication1.csproj", "WebApplication1/"]
RUN dotnet restore "WebApplication1/WebApplication1.csproj"
COPY . .
WORKDIR "/src/WebApplication1"
RUN dotnet build "WebApplication1.csproj" -c Release -o /app/build/net6 -f net6.0
RUN dotnet build "WebApplication1.csproj" -c Release -o /app/build/net7 -f net7.0
FROM build AS publish
RUN dotnet publish "WebApplication1.csproj" -c Release -o /app/publish/net6 /p:UseAppHost=false -f net6.0
RUN dotnet publish "WebApplication1.csproj" -c Release -o /app/publish/net7 /p:UseAppHost=false -f net7.0
建置階段使用 alpine 來降低建置機器的空間用量
利用建置變數控制
- 通常用於想要動態產生多種不同 OS 與 .net 版本的容器時
- dotnet build 參考文件
- dotnet publish 參考文件
- os rid 參考文件
- os type list (rid list)
FROM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS build
ARG dotnetVersion=8.0
ARG releaseOsType=linux
WORKDIR /src
COPY ["OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins/OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj", "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins/"]
RUN dotnet restore "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins/OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \
COPY . .
WORKDIR "/src/OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins"
RUN dotnet build "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \
-c Release \
-o /app/build \
-f net${dotnetVersion} \
--os ${releaseOsType} \
--arch x64
FROM build AS publish
ARG dotnetVersion=8.0
ARG releaseOsType=linux
RUN dotnet publish "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \
-c Release \
-o /app/publish \
-f net${dotnetVersion} \
--os ${releaseOsType} \
--arch x64
直接指定
通常用於明確知道 base image 是哪個 OS 與 .net 版本時
- 當輸出是 8.0 的 debian 12 (8.0/8.0-bookworm-slim) 或是 ubuntu(jammy) 時
RUN dotnet build "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \
-c Release \
-o /app/build \
-f net8.0 \
--os linux \
--arch x64
RUN dotnet publish "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \
-c Release \
-o /app/publish \
-f net8.0 \
--os linux \
--arch x64
- 當輸出是 8.0-alpine 時
RUN dotnet build "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \
-c Release \
-o /app/build \
-f net8.0 \
--os linux-musl \
--arch x64
RUN dotnet publish "OpenTelemetry.AutoInstrumentation.AspNetCore.Plugins.csproj" \
-c Release \
-o /app/publish \
-f net8.0 \
--os linux-musl \
--arch x64
OpenSSL 3.x TLS 最低支援版本設定
由於 bookworm-slim, jammy, alpine 的 OpenSSL 版本都使用 OpenSSL 3.x,如果想在 dockerfile 中調整 TLS 最低版本的話,要改用以下命令
如果加入以下命令後仍無法存取資料庫或部分 tls1.0 的服務,可以將 DEFAULT:@SECLEVEL=1 的部分改為 DEFAULT:@SECLEVEL=0
RUN sed -i 's/openssl_conf = openssl_init/#openssl_conf = openssl_init/' /etc/ssl/openssl.cnf
RUN sed -i '1i openssl_conf = default_conf' /etc/ssl/openssl.cnf && \
echo "\n[ default_conf ]\nssl_conf = ssl_sect\n[ssl_sect]\nsystem_default = system_default_sect\n[system_default_sect]\nMinProtocol = TLSv1\nCipherString = DEFAULT:@SECLEVEL=1" >> /etc/ssl/openssl.cnf
Read more
Published on 
HackMD
HackMD