{"id":41598,"date":"2022-08-16T05:57:17","date_gmt":"2022-08-16T12:57:17","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/dotnet\/?p=41598"},"modified":"2024-12-13T15:11:32","modified_gmt":"2024-12-13T23:11:32","slug":"dotnet-6-is-now-in-ubuntu-2204","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/dotnet-6-is-now-in-ubuntu-2204\/","title":{"rendered":".NET 6 is now in Ubuntu 22.04"},"content":{"rendered":"<p><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/announcing-net-6\/\">.NET 6<\/a> is now <a href=\"https:\/\/ubuntu.com\/blog\/install-dotnet-on-ubuntu\">included in Ubuntu 22.04 (Jammy)<\/a> and can be installed with just <code>apt install dotnet6<\/code>. This change is a major improvement and simplification for Ubuntu users. We&#8217;re also releasing .NET with Chiseled Ubuntu Containers, a new small and secure container offering from Canonical. These improvements are the result of a new partnership between Canonical and Microsoft.<\/p>\n<p>Here&#8217;s the commands to install the <a href=\"https:\/\/packages.ubuntu.com\/jammy-updates\/dotnet6\">.NET 6 SDK on Ubuntu 22.04<\/a>:<\/p>\n<pre><code class=\"language-bash\">sudo apt update\r\nsudo apt install dotnet6<\/code><\/pre>\n<p>We&#8217;re also announcing that <a href=\"https:\/\/github.com\/ubuntu-rocks\/dotnet\">.NET 6 is available with Chiseled Ubuntu Containers<\/a>. Our friends at <a href=\"https:\/\/canonical.com\/\">Canonical<\/a> have developed a new <a href=\"https:\/\/github.com\/canonical\/chisel\">chisel<\/a> approach for making ultra-small container images. We&#8217;re very excited about it. The Chiseled Ubuntu image is <code>100MB<\/code> smaller than the Ubuntu images you&#8217;ve been using until now!<\/p>\n<p>Here&#8217;s the command to pull the new ASP.NET Chiseled image:<\/p>\n<pre><code class=\"language-bash\">docker pull mcr.microsoft.com\/dotnet\/nightly\/aspnet:6.0-jammy-chiseled<\/code><\/pre>\n<p>We also updated our <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/main\/samples\/dotnetapp\/Dockerfile.chiseled\">dotnetapp<\/a> and <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/main\/samples\/aspnetapp\/Dockerfile.chiseled\">aspnetapp<\/a> samples so that you can try out .NET with Chiseled Ubuntu Containers.<\/p>\n<p>These new container images significantly improve security posture:<\/p>\n<ul>\n<li>Ultra-small images (reduced size and attack surface)<\/li>\n<li>No package manager (avoids a whole class of attacks)<\/li>\n<li>No shell (avoids a whole class of attacks)<\/li>\n<li>Non-root (avoids a whole class of attacks)<\/li>\n<\/ul>\n<p>To top that off, Canonical and Microsoft are committed to working together to ensure that new .NET releases are available with new Ubuntu releases and that they work well together. This includes security updates and secure delivery of container images.<\/p>\n<p>We&#8217;re really excited that .NET 6 is available in Ubuntu 22.04 and that Canonical chose to work with us as their launch partner for Chiseled Ubuntu images. This is what Canonical had to say about the project.<\/p>\n<blockquote><p>\u201cUbuntu now has an end-to-end story from development to production with ultra-small supported container images, starting with the .NET platform\u201d, said Valentin Viennot, Product Manager at Canonical. \u201cWe think it\u2019s a huge improvement for both our communities; collaborating with the .NET team at Microsoft has enabled us to go above and beyond\u201d.<\/p><\/blockquote>\n<h2>Canonical and Microsoft<\/h2>\n<p>Several months ago, folks at Canonical and Microsoft started working together with the goal of making Ubuntu an even better environment for .NET devs.<\/p>\n<p>We had two main goals in mind:<\/p>\n<ul>\n<li>Simplify using .NET on Ubuntu.<\/li>\n<li>Shorten the supply chain between Canonical and Microsoft.<\/li>\n<\/ul>\n<p>We&#8217;ve known for years that many .NET devs use Ubuntu. After we got talking, it became obvious that there was a fair bit we could do to make that experience better. Let me tell you what we&#8217;ve delivered.<\/p>\n<h2>.NET in APT<\/h2>\n<p>You can now install <a href=\"https:\/\/ubuntu.com\/blog\/install-dotnet-on-ubuntu\">.NET 6 with APT<\/a>, built by Canonical via <a href=\"https:\/\/github.com\/dotnet\/source-build\">source-build<\/a>. These packages are available with Ubuntu 22.04 (Jammy) and later. It&#8217;s a great reason to upgrade to <a href=\"https:\/\/ubuntu.com\/blog\/ubuntu-22-04-lts-released\">Jammy<\/a>!<\/p>\n<blockquote><p>Note: Please checkout this <a href=\"https:\/\/github.com\/dotnet\/core\/issues\/7699\">advisory on using <code>packages.microsoft.com<\/code> on Ubuntu 22.04<\/a> now that .NET 6 is included in Ubuntu.<\/p><\/blockquote>\n<p>There are <a href=\"https:\/\/packages.ubuntu.com\/search?suite=default&amp;section=all&amp;arch=any&amp;keywords=dotnet&amp;searchon=names\">multiple packages<\/a>:<\/p>\n<ul>\n<li><a href=\"https:\/\/packages.ubuntu.com\/jammy-updates\/dotnet6\"><code>dotnet6<\/code><\/a> &#8212; The .NET 6 SDK (short name).<\/li>\n<li><a href=\"https:\/\/packages.ubuntu.com\/jammy-updates\/dotnet-sdk-6.0\"><code>dotnet-sdk-6.0<\/code><\/a> &#8212; Same as above (long name).<\/li>\n<li><a href=\"https:\/\/packages.ubuntu.com\/jammy-updates\/aspnetcore-runtime-6.0\"><code>aspnet-runtime-6.0<\/code><\/a> &#8212; ASP.NET Core<\/li>\n<li><a href=\"https:\/\/packages.ubuntu.com\/jammy-updates\/dotnet-runtime-6.0\"><code>dotnet-runtime-6.0<\/code><\/a> &#8212; .NET Runtime<\/li>\n<\/ul>\n<p>I&#8217;ll show you how to install these images using Docker (same model applies elsewhere):<\/p>\n<pre><code class=\"language-bash\">rich@kamloops:~$ docker run --rm -it ubuntu:jammy\r\nroot@7d4dfca0ef55:\/# apt update &amp;&amp; apt install -y dotnet6\r\nroot@7d4dfca0ef55:\/# dotnet --version\r\n6.0.108<\/code><\/pre>\n<p>In case that doesn&#8217;t work, you need the following source registered, in \/etc\/apt\/sources.list:<\/p>\n<pre class=\"prettyprint\">deb http:\/\/archive.ubuntu.com\/ubuntu\/ jammy-updates universe<\/pre>\n<p>Canonical and Microsoft will be working together to ensure that these packages are updated on the monthly .NET team release schedule. This includes Microsoft sharing <a href=\"https:\/\/github.com\/dotnet\/core\/blob\/main\/release-notes\/6.0\/cve.md\">CVE information<\/a> (descriptions and code) with Canonical ahead of public releases. Similarly, Canonical will share security information in the other direction.<\/p>\n<p>Notes:<\/p>\n<ul>\n<li>We&#8217;re currently missing Arm64 builds. Those will be coming soon. Both companies are strong proponents of Arm64.<\/li>\n<li>.NET 7 builds are not yet available, and likely won&#8217;t be until .NET 7 GA.<\/li>\n<li><a style=\"background-color: #f7f7f9; font-size: 1rem;\" href=\"https:\/\/github.com\/dotnet\/designs\/blob\/main\/accepted\/2020\/workloads\/workloads.md\">.NET SDK workloads<\/a><span style=\"font-size: 1rem;\"> are not available in packages (for any Linux distro). Also, the .NET MAUI workloads isn&#8217;t supported on Linux.<\/span><\/li>\n<\/ul>\n<h2>.NET in Chiseled Ubuntu Containers<\/h2>\n<p>You can now use <a href=\"https:\/\/github.com\/ubuntu-rocks\/dotnet\">.NET in Chiseled Ubuntu Containers<\/a>. Chiseling delivers the smallest container footprint while still being the Ubuntu you know and trust. It is similar to conventional <a href=\"https:\/\/hackernoon.com\/distroless-containers-hype-or-true-value-2rfl3wat\">distroless<\/a>, with a tool that is customized for slicing <code>.deb<\/code> packages.<\/p>\n<p>These images are <code>100MB<\/code> smaller than the Ubuntu images we&#8217;ve offered until now and don&#8217;t include a root user!<\/p>\n<p>We&#8217;re offering three layers of Chiseled Ubuntu container images, for Arm64 and x64, for .NET 6 and 7:<\/p>\n<ul>\n<li><code>mcr.microsoft.com\/dotnet\/nightly\/runtime-deps:6.0-jammy-chiseled<\/code><\/li>\n<li><code>mcr.microsoft.com\/dotnet\/nightly\/runtime:6.0-jammy-chiseled<\/code><\/li>\n<li><code>mcr.microsoft.com\/dotnet\/nightly\/aspnet:6.0-jammy-chiseled<\/code><\/li>\n<\/ul>\n<p>Note: The images will be offered in our <code>nightly<\/code> repos while the chiseled offering is in preview. We&#8217;ll make another announcement when they are supported in production. It will be sometime this year, but we haven&#8217;t picked a timeframe, since we&#8217;ve been focused on basic enablement.<\/p>\n<p>Canonical is also publishing Chiseled Ubuntu container images for .NET, that include the new APT packages, via Docker Hub:<\/p>\n<ul>\n<li>https:\/\/hub.docker.com\/r\/ubuntu\/dotnet-deps<\/li>\n<li>https:\/\/hub.docker.com\/r\/ubuntu\/dotnet-runtime<\/li>\n<li>https:\/\/hub.docker.com\/r\/ubuntu\/dotnet-aspnet<\/li>\n<\/ul>\n<p>Let&#8217;s take a look at the size win. All of the following sizes are uncompressed (on-disk, not registry\/wire size).<\/p>\n<p>First, the <code>runtime-deps<\/code> layer.<\/p>\n<ul>\n<li>Ubuntu 22.04 (Jammy): <code>112MB<\/code><\/li>\n<li>Chiseled Ubuntu 22.04 (Jammy): <code>12.9MB<\/code><\/li>\n<\/ul>\n<p>And on the other end of the spectrum, the <code>aspnet<\/code> layer.<\/p>\n<ul>\n<li>Ubuntu 22.04 (Jammy): <code>213MB<\/code><\/li>\n<li>Chiseled Ubuntu 22.04 (Jammy): <code>104MB<\/code><\/li>\n<\/ul>\n<p>That&#8217;s a truly amazing difference! The folks at Canonical have figured out how to drop 100MB of binaries and other content from these images. When we first started talking, we had no idea we&#8217;d be talking about this large of a difference!<\/p>\n<p>Close readers will notice that chiseled <code>aspnet<\/code> is smaller than the existing <code>runtime-deps<\/code> layer. That&#8217;s shockingly good.<\/p>\n<p>It&#8217;s reasonable to ask what <a href=\"https:\/\/alpinelinux.org\/\">Alpine<\/a> looks like. It&#8217;s a newer distro designed to be super small and componentized from the start. Alpine is <code>9.84MB<\/code> for <code>runtime-deps:6.0-alpine<\/code> and <code>100MB<\/code> for <code>aspnet:6.0-alpine<\/code>. Those are impressive numbers, again uncompressed. That&#8217;s the key reason why Alpine is so popular (and why we&#8217;ve published .NET images for it for years).<\/p>\n<p>Alpine is great (and we&#8217;re also <a href=\"https:\/\/pkgs.alpinelinux.org\/packages?name=dotnet*\">friends with those folks<\/a>), but it isn&#8217;t for everyone and every app since it uses <a href=\"http:\/\/musl.libc.org\/\">musl<\/a>, which is a different (and incompatible) <code>libc<\/code> variant. That&#8217;s only important if your app includes native libraries. If it doesn&#8217;t (and most .NET apps don&#8217;t), you don&#8217;t need to worry about this detail. The .NET product itself is happy running with either <code>musl<\/code> or <a href=\"https:\/\/www.gnu.org\/software\/libc\/\"><code>glibc<\/code><\/a> and every PR on <a href=\"https:\/\/github.com\/dotnet\/runtime\">dotnet\/runtime<\/a> tests for both.<\/p>\n<p>Putting this in perspective, this is really great news if you use Ubuntu for development and always wished for a small Ubuntu to deliver into production. You now have a straightforward path from dev box to cloud without any distro-compatibility surprises. It&#8217;s amazing (and quite surprising) to see Ubuntu in the same ballpark as Alpine. Kudos to the Canonical folks on a great engineering accomplishment.<\/p>\n<p>It&#8217;s also worth mentioning that <a href=\"https:\/\/www.chainguard.dev\/\">Chainguard<\/a> is looking at <a href=\"https:\/\/blog.chainguard.dev\/minimal-container-images-towards-a-more-secure-future\/\">minimal container images towards a secure future<\/a>. That project is run out of the <a href=\"https:\/\/github.com\/distroless\">distroless<\/a> GitHub org. We&#8217;re watching that project and glad to see more interest in small and more secure container images. We believe that minimal + non-root container images are the future.<\/p>\n<p>Like our <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/1297d21bbf695bcb87580bea2ccefdced894eeeb\/src\/runtime-deps\/3.1\/alpine3.16\/amd64\/Dockerfile#L19-L20\">Alpine images<\/a>, we&#8217;ve chosen not to include <a href=\"https:\/\/icu.unicode.org\/\">ICU<\/a>. It would likely double the size of the image. That means that we&#8217;ve enabled <a href=\"https:\/\/github.com\/dotnet\/runtime\/blob\/main\/docs\/design\/features\/globalization-invariant-mode.md\">globalization invariant mode<\/a>. For some apps, that&#8217;s fine, and the size win is great. For others, it is a deal breaker. We may need to adjust this part of the plan depending on the feedback. We&#8217;ve <a href=\"https:\/\/github.com\/ubuntu-rocks\/dotnet\/issues\/21\">documented the pattern<\/a> to add ICU into your images.<\/p>\n<p>Let me demo these images a bit to drive the point home on how (intentionally) limited these images are.<\/p>\n<pre><code class=\"language-bash\">% docker run --rm mcr.microsoft.com\/dotnet\/nightly\/runtime-deps:6.0-jammy-chiseled-amd64\r\ndocker: Error response from daemon: No command specified.\r\nSee 'docker run --help'.<\/code><\/pre>\n<p>Let&#8217;s try again.<\/p>\n<pre><code class=\"language-bash\">% docker run --rm mcr.microsoft.com\/dotnet\/nightly\/runtime-deps:6.0-jammy-chiseled-amd64 bash\r\ndocker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: \"bash\": executable file not found in $PATH: unknown.<\/code><\/pre>\n<p>Huh? What&#8217;s up? They don&#8217;t work! That&#8217;s the point. These are appliance-like container images. They are stripped down to the minimum. They are only intended to do what you design them to do. That&#8217;s the aspect that makes them more secure. If this experience is uncomfortable, you can always use the regular Ubuntu images. We&#8217;ll continue to offer them. They are not going away.<\/p>\n<div>\n<div>For the runtime and aspnet images, we decided to use dotnet &#8211;info as the ENTRYPOINT to make the experience a little more friendly and useful.<\/div>\n<\/div>\n<div><\/div>\n<div>\n<pre class=\"prettyprint\">% docker run --rm mcr.microsoft.com\/dotnet\/nightly\/runtime:6.0-jammy-chiseled        \r\n\r\nglobal.json file:\r\n  Not found\r\n\r\nHost:\r\n  Version:      6.0.8\r\n  Architecture: arm64\r\n  Commit:       55fb7ef977\r\n\r\n.NET SDKs installed:\r\n  No SDKs were found.\r\n\r\n.NET runtimes installed:\r\n  Microsoft.NETCore.App 6.0.8 [\/usr\/share\/dotnet\/shared\/Microsoft.NETCore.App]\r\n\r\nDownload .NET:\r\n  https:\/\/aka.ms\/dotnet-download\r\n\r\nLearn about .NET Runtimes and SDKs:\r\n  https:\/\/aka.ms\/dotnet\/runtimes-sdk-info<\/pre>\n<\/div>\n<p>We&#8217;re not offering a chiseled SDK image. It wasn&#8217;t obvious that there was a strong need. In fact, a chiseled SDK image could be hard to use for some scenarios. You can continue to use the existing Jammy SDK image: <code>mcr.microsoft.com\/dotnet\/sdk:6.0-jammy<\/code>. If there is a need for a chiseled SDK image, we&#8217;ll be happy to reconsider.<\/p>\n<h2>Using chiseled container images<\/h2>\n<p>For most apps, there won&#8217;t be any notable difference in using these new container images, in terms of what your <code>Dockerfile<\/code> looks like.<\/p>\n<p>We made updated our samples to use these new containers images:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/main\/samples\/dotnetapp\/Dockerfile.chiseled\">dotnetapp<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/main\/samples\/aspnetapp\/Dockerfile.chiseled\">aspnetapp<\/a><\/li>\n<\/ul>\n<p>I&#8217;ll show you how easy this is with <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/main\/samples\/dotnetapp\/Dockerfile.chiseled\">dotnetapp<\/a>.<\/p>\n<p>The Dockerfile is barely different.<\/p>\n<pre><code class=\"language-dockerfile\">FROM mcr.microsoft.com\/dotnet\/sdk:7.0-jammy AS build\r\nWORKDIR \/source\r\n\r\n# copy csproj and restore as distinct layers\r\nCOPY *.csproj .\r\nRUN dotnet restore --use-current-runtime\r\n\r\n# copy and publish app and libraries\r\nCOPY . .\r\nRUN dotnet publish -c Release -o \/app --use-current-runtime --self-contained false --no-restore\r\n\r\n# final stage\/image\r\nFROM mcr.microsoft.com\/dotnet\/nightly\/runtime:7.0-jammy-chiseled\r\nWORKDIR \/app\r\nCOPY --from=build \/app .\r\nENTRYPOINT [\"dotnet\", \"dotnetapp.dll\"]<\/code><\/pre>\n<p>Only the final <code>FROM<\/code> statement really differs from our standard <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/main\/samples\/dotnetapp\/Dockerfile.ubuntu-x64\">Ubuntu Dockerfile<\/a>.<\/p>\n<p>I&#8217;ll now build the sample:<\/p>\n<pre><code class=\"language-bash\">rich@MacBook-Air-2 dotnetapp % pwd\r\n\/Users\/rich\/git\/dotnet-docker\/samples\/dotnetapp\r\nrich@MacBook-Air-2 dotnetapp % docker build -t dotnetapp-chiseled -f Dockerfile.chiseled .\r\nrich@MacBook-Air-2 dotnetapp % docker images | grep dotnetapp-chiseled\r\ndotnetapp-chiseled                 latest      bf7e125bd182   20 seconds ago   90.5MB<\/code><\/pre>\n<p>Note: I didn&#8217;t use any .NET trimming features. Certainly, this image could be made smaller.<\/p>\n<p>Let&#8217;s launch the container:<\/p>\n<pre><code class=\"language-bash\">rich@MacBook-Air-2 dotnetapp % docker run --rm dotnetapp-chiseled\r\n         42\r\n         42              ,d                             ,d\r\n         42              42                             42\r\n ,adPPYb,42  ,adPPYba, MM42MMM 8b,dPPYba,   ,adPPYba, MM42MMM\r\na8\"    `Y42 a8\"     \"8a  42    42P'   `\"8a a8P_____42   42\r\n8b       42 8b       d8  42    42       42 8PP\"\"\"\"\"\"\"   42\r\n\"8a,   ,d42 \"8a,   ,a8\"  42,   42       42 \"8b,   ,aa   42,\r\n `\"8bbdP\"Y8  `\"YbbdP\"'   \"Y428 42       42  `\"Ybbd8\"'   \"Y428\r\n\r\n.NET 7.0.0-preview.7.22375.6\r\nLinux 5.10.104-linuxkit #1 SMP PREEMPT Thu Mar 17 17:05:54 UTC 2022\r\n\r\nOSArchitecture: Arm64\r\nProcessorCount: 4\r\nTotalAvailableMemoryBytes: 3.83 GiB<\/code><\/pre>\n<p>And then, let&#8217;s try to break in:<\/p>\n<pre><code class=\"language-bash\">rich@MacBook-Air-2 dotnetapp % docker run --rm --entrypoint bash dotnetapp-chiseled\r\ndocker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: \"bash\": executable file not found in $PATH: unknown.\r\nrich@MacBook-Air-2 dotnetapp % docker run --rm --entrypoint apt  dotnetapp-chiseled install -y bash curl\r\ndocker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: \"apt\": executable file not found in $PATH: unknown.<\/code><\/pre>\n<p>My &#8220;red team&#8221; skills are failing me. Note that <code>docker exec<\/code> would have the same result.<\/p>\n<p>I&#8217;ll now describe chiseled images in a bit more detail now that you&#8217;ve seen them in action.<\/p>\n<h2>Chiseled Ubuntu Containers<\/h2>\n<p>Chiseled Ubuntu Containers are the Canonical take on the distroless concept, originally <a href=\"https:\/\/github.com\/GoogleContainerTools\/distroless\">popularized by Google<\/a>. With the original implementation, a distro is stripped bare and only necessary packages are installed. Chiseling takes this one step forward by <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/fd39ea3eece8c8653348a717446ac41e93633784\/src\/runtime-deps\/6.0\/jammy-chiseled\/arm64v8\/Dockerfile#L29-L36\">installing only the directories and files in each package that are necessary<\/a>.<\/p>\n<p>The other challenge with the original implementation was that it wasn&#8217;t necessarily supported by any party. Chiseled Ubuntu Containers are a first-class Canonical deliverable. That means you can use ultra-small container images and be supported as a Canonical customer.<\/p>\n<p>Hats off to Google for getting us all started down this path.<\/p>\n<p>As stated earlier, there is a lot of value to this approach:<\/p>\n<ul>\n<li>Ultra-small images (reduced size and attack surface)<\/li>\n<li>No package manager (avoids a whole class of attacks)<\/li>\n<li>No shell (avoids a whole class of attacks)<\/li>\n<\/ul>\n<p>Chiseled Ubuntu Containers are currently in preview. We&#8217;ll make a separate announcement when they are stable and supported in production.<\/p>\n<h2>Non-root images<\/h2>\n<p>We&#8217;ve <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/fd39ea3eece8c8653348a717446ac41e93633784\/src\/runtime-deps\/6.0\/jammy-chiseled\/arm64v8\/Dockerfile#L13-L26\">configured all of the new .NET Chiseled Ubuntu Containers<\/a> with a <a href=\"https:\/\/stackoverflow.com\/questions\/59840450\/rootless-docker-image\">non-root<\/a> user. The images do not include the <code>root<\/code> user or include root-elevating commands like <code>sudo<\/code> or <code>su<\/code>. That means that it is not possible to exercise capabilities and operations that require <code>root<\/code>.<\/p>\n<p>Non-root images are an additional security mitigation beyond removing a shell (like <code>bash<\/code>). Non-root images are logically separate and complementary to running a <a href=\"https:\/\/docs.docker.com\/engine\/security\/rootless\/\">daemon as rootless<\/a>. Every <a href=\"https:\/\/seclists.org\/oss-sec\/2019\/q1\/119\">reduction in privilege helps<\/a>.<\/p>\n<p>If you need access to privileged resources, you can add the <code>root<\/code> user within your <code>Dockerfile<\/code>. You are not prevented from that, but then that&#8217;s a specific security decision you&#8217;d be making.<\/p>\n<p>Chiseled images are appliance-like and are not general-purpose. We felt that they offered us an opportunity to <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/issues\/2249\">finally deliver non-root images<\/a>. That&#8217;s informing our policy going forward. Appliance-like images will be delivered as non-root and general-purpose ones will be delivered as per the policy of the base image (which might be configured with the <code>root<\/code> user). However, this project with Canonical has inspired us to look at a middle-ground option, of <a href=\"https:\/\/github.com\/dotnet\/designs\/pull\/271\">offering non-root-capable images<\/a>.<\/p>\n<h2>Secure supply chain<\/h2>\n<p>Canonical already has secure processes in place for directly delivering Ubuntu Virtual Machine images to Azure for customers to use. It occurred to us that Canonical could do the same thing with the Ubuntu container base images that we use to build Ubuntu-based .NET images (regular and Chiseled). That&#8217;s what we&#8217;re now using, instead of pulling from Docker Hub. We now have what&#8217;s effectively a zero-distance supply chain for all Canonical assets with known custody\/provenance throughout.<\/p>\n<p>We&#8217;re doing something similar with sharing <a href=\"https:\/\/www.cve.org\/\">CVE<\/a> fixes. We have a shared private <a href=\"https:\/\/github.com\/dotnet\/source-build\/issues\/2956\">virtual mono repo<\/a> for sharing monthly patches. It&#8217;s also shared with Red Hat. It means we can work together on getting the correct fixes in place at the right time in a coordinated way.<\/p>\n<p>.NET container images are not yet signed, but that&#8217;s coming relatively soon. We&#8217;re regularly working to improve our security-focused capabilities.<\/p>\n<h2>Support<\/h2>\n<p>Canonical and Microsoft have been working together to give you a better experience. This includes support. You can report issues in the familiar .NET repos like <a href=\"https:\/\/github.com\/dotnet\/core\">dotnet\/core<\/a> and <a href=\"https:\/\/github.com\/dotnet\/runtime\">dotnet\/runtime<\/a>. If you want commercial support, you should <a href=\"https:\/\/ubuntu.com\/security\/docker-images\">start with Canonical support<\/a>. Canonical is the best position to support Ubuntu packages. Canonical may contact Microsoft to assist with resolving issues, as needed.<\/p>\n<p>Security researchers that find vulnerabilities in Canonical-provided .NET packages are still eligible for the <a href=\"https:\/\/www.microsoft.com\/msrc\/bounty-dot-net-core\">Microsoft .NET Bounty Program<\/a>.<\/p>\n<p>Microsoft continues to maintain .NET packages in its <a href=\"https:\/\/docs.microsoft.com\/dotnet\/core\/install\/linux\">packages.microsoft.com<\/a> feed for Ubuntu and we intend to continue that going forward. For most users, we recommend using the <code>dotnet6<\/code> packages that come with Ubuntu Jammy+. That&#8217;s what I&#8217;ll be doing. It&#8217;s also the same guidance we have for Red Hat users.<\/p>\n<blockquote><p>Note: Please checkout this <a href=\"https:\/\/github.com\/dotnet\/core\/issues\/7699\">advisory on using <code>packages.microsoft.com<\/code> on Ubuntu 22.04<\/a> now that .NET 6 is included in Ubuntu.<\/p><\/blockquote>\n<p>There are two main reasons to continue to use the Microsoft packages:<\/p>\n<ul>\n<li>You specifically want .NET builds from Microsoft, not any other vendor.<\/li>\n<li>The Microsoft packages target later .NET SDK feature bands (like <code>6.0.4xx<\/code>) while source-build tracks <code>6.0.1xx<\/code>. That&#8217;s more relevant for Windows users, but might be important for some Linux users.<\/li>\n<\/ul>\n<p>The new packages are available for .NET 6+ and Ubuntu 22.04+. Previous .NET and Ubuntu versions are not supported (with the new packages). You must use the existing <code>packages.microsoft.com<\/code> feed to use .NET on earlier Ubuntu versions. Separately, earlier .NET versions are not supported on Ubuntu 22.04 because they do not support OpenSSL v3.<\/p>\n<h2>What&#8217;s Next?<\/h2>\n<p>We have identified a number of <a href=\"https:\/\/github.com\/dotnet\/source-build\/issues\/2911\">opportunities to make it easier for Canonical to consume .NET source<\/a>. We&#8217;re going to focus on those in the immediate term. These improvements will also benefit other users who build and distribute .NET from source.<\/p>\n<p>We recently setup a distro-maintainer group for .NET. Canonical is a member of that group. We have already started discussing <a href=\"https:\/\/github.com\/dotnet\/source-build\/issues\/2911\">potential source-build improvements<\/a> within that forum. Other distros (that build .NET from source) are welcome to join. Contact dotnet@microsoft.com for more information.<\/p>\n<p>Canonical is starting out with support for x64 and will quickly add .NET packages for Arm64. It&#8217;s an exciting time in the industry with multiple mainline chip architectures to support. Ubuntu and .NET both have a long history of supporting multiple architectures.<\/p>\n<h2>Closing<\/h2>\n<p>.NET has been open source for just over 5 years now. A partnership with Canonical was felt out of grasp during the early days of our project on GitHub. We&#8217;ve learned a lot about how to structure an OSS project so that it is a candidate for inclusion in a Linux distro. This is thanks to our <a href=\"https:\/\/docs.microsoft.com\/dotnet\/core\/install\/linux#official-package-archives\">other partners<\/a> who have taught us a lot, particularly <a href=\"https:\/\/packages.fedoraproject.org\/search?query=dotnet\">Fedora<\/a> and <a href=\"https:\/\/access.redhat.com\/documentation\/en-us\/net\/6.0\">Red Hat<\/a>. Looking back, it is easy to see that open source, trust, and industry relationships are even more important now than they were when we started. We&#8217;re excited and honored to be working with Canonical.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>.NET 6 is now included in Ubuntu 22.04 (Jammy) and can be installed with just apt install dotnet6. This change is a major improvement and simplification for Ubuntu users.  We&#8217;re also releasing .NET with Chiseled Ubuntu Containers, a new small and secure container offering from Canonical. These improvements are the result of a new partnership between Canonical and Microsoft.<\/p>\n","protected":false},"author":1312,"featured_media":41642,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[685,7509,7237],"tags":[57,92,7663],"class_list":["post-41598","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-dotnet","category-aspnetcore","category-containers","tag-containers","tag-linux","tag-ubuntu"],"acf":[],"blog_post_summary":"<p>.NET 6 is now included in Ubuntu 22.04 (Jammy) and can be installed with just apt install dotnet6. This change is a major improvement and simplification for Ubuntu users.  We&#8217;re also releasing .NET with Chiseled Ubuntu Containers, a new small and secure container offering from Canonical. These improvements are the result of a new partnership between Canonical and Microsoft.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/41598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/1312"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=41598"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/41598\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/41642"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=41598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=41598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=41598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}