Open in app

Sign in

Write

Sign in

Web App for Containers with Dockerlized ASP.NET app with User settings

Tsuyoshi Ushio
2 min readOct 3, 2019

--

This post is about small tips for configuring ASP.NET container with user.

A lot of docker images still works on root. However, you should know how dangerous is it. If you don’t know, I recommend to watch this keynote.

Let’s configure your ASP.NET container app with non-root user.

Dockerfile

You need to create user/group on your docker. then run as target user.

RUN groupadd -r devsecops && useradd --no-log-init -r -g devsecops devsecops
RUN mkdir /home/devsecops
RUN chown -R devsecops /app
RUN chown -R devsecops /home/devsecops
    :
USER devsecops

Port number

Since port 80 requires root. Change the port number. You have several ways to do it. I simply used ASPNETCORE_URLS .

ENV ASPNETCORE_URLS=http://+:8080

NOTE: Don’t use https in here. Web App look after server certificate for https.

Web App For Containers configuration

You need to change the port number for it.

Add WEBSITES_PORT as a AppSettings. If you use azure cli, you can do like this.

az webapp config appsettings set --resource-group $resourceGroupName --name $webAppName --settings WEBSITES_PORT=8080

That’s it.

This is the sample Dockerfile.

Docker file for user settings sample

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

gist.github.com

Error Messages

Configuration is simple, however, you might encounter some issue.

WebApp for container UnauthorizedAccessException: Access to the path ‘/home/devsecops/ASP.NET/DataProtection-Keys’ is denied.

DataProtection-Keys will be created under the home directory. You need to create home directory for the target user.

System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.
To generate a developer certificate run ‘dotnet dev-certs https’. To trust the certificate (Windows and macOS only) run ‘dotnet dev-certs https — trust’.

You might configure ASPNETCORE_URLS environment variables with https It requires certificate. dotnet dev-certs command requires dotnet sdk. You might do it. However, Web App for containers look after https. So we don’t need https setting inside of the container.

Next Step

Next challenge might be SSH daemon configuration for the container. (NOTE: Web App for Containers has special architecture. usually having SSH daemon on container is a bad practice. for the Web App for containers is not.) We need to run daemon with non-root user and change the configuration of the ssh. I haven’t tested, so I’d like to try it next time.

Is it possible to run sshd as a normal user?

I'm aiming to start up a second sshd instance on a non-privileged port (e.g. 2222) with my own configuration file…

serverfault.com

Configure custom container - Azure App Service

This article shows you how to configure a custom Linux container to run on Azure App Service. This guide provides key…

docs.microsoft.com

Resources

How to change the port number for Asp.Net core app?

Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question. Provide details and share…

stackoverflow.com

Docker
Aspnetcore
Azure App Service

--

--

Tsuyoshi Ushio
Tsuyoshi Ushio

Written by Tsuyoshi Ushio

984 Followers
202 Following

Senior Software Engineer — Microsoft

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams