Optimize Container Images for .NET Applications

Transcript

1. OPTIMIZE CONTAINER IMAGES FOR .NET APPLICATIONS Basta 2023

2. AGENDA § Why should developers care about optimizing container images?

   § Configure .NET applications § Build container images § Container Security § Multi-architecture images

3. ABOUT ME Daniel Lindemann Enthusiastic .NET developer and consultant with

   a strange love for optimising, automating and containerising applications. What I do: § Microsoft Azure § Cloud-native & Serverless architectures § Container technologies § DevOps - Dev at night, Ops by day E-Mail: [email protected] Web: https://www.dlindemann.de LinkedIn: https://linkedin.com/in/daniel-lindemann

4. Why should developers care about optimizing container images?

5. THE WHY Why should developers care about optimizing container images?

   § Application architecture § Monoliths § Service-oriented § Microservices § Faster deployment and improved scalability § Reduced bandwidth usage § Shift security left § Cost savings

6. Configure .NET applications

7. APPLICATION OPTIMIZATION Know the source Optimizing container images starts with

   optimizing the application

8. CONFIGURE .NET APPLICATIONS 12 factor app - Configuration § App

   configurations vary between environments (Development, Staging, Production) § Connections to databases § Connections to backing services § Credentials for accessing external services § Do not hard-code configurations § Allows the separation of code and config § Prevent pushing sensitive information to version control system § Use environment variables to configure you application § Allows to overwrite default configuration values § Language- and OS-agnostic § It’s fine to have a large set of configuration parameters

9. CONFIGURE .NET APPLICATIONS 12 factor app - Configuration in ASP.NET

   § Configure your application via appsettings.json § Set the basis of the application’s configuration § Configuration values can easily be injected and verified via OptionsBuilder and IOptions interface § Allows environment specific configurations § During development use User Secrets to store sensitive information § Store information only on your machine § No change to appsettings.json required § HostBuilder reads environment variables § Overwrite app settings via environment variables § WebApplication.CreateBuilder() loads configurations from different resources (HostApplicationBuilder Constructor (Microsoft.Extensions.Hosting) | Microsoft Learn)

10. CONFIGURE .NET APPLICATIONS 12 factor app - Port Binding §

    The app is completely self-contained § Application binds to a port and can receive requests § Application access can be configured Example: § During development, the developer will access the application via http://localhost:1234 § In production the application hosting could be reconfigured § Maybe Port 1234 is already in use § Maybe app runs behind a load balancer or reverse proxy

11. CONFIGURE .NET APPLICATIONS 12 factor app - Port Binding ASP.NET

    § ASP.NET uses Kestrel to serve web application projects § Kestrel is included in the .NET assembly § Kestrel can be configured using the Kestrel-Options § Options can be set within appsettings.json § Configure options for the ASP.NET Core Kestrel web server | Microsoft Learn § Kestrel and application hosting configuration can be overwritten using environment variables § Use ASPNETCORE_URLS to set the url of the application § Use Kestrel__Certificates__Default__Path and Kestrel__Certificates__Default__Password to configure SSL/TLS certificates

12. CONFIGURE .NET APPLICATIONS 12 factor app - Logs § ASP.NET

    allows the configuration of logging § Configure via Logging property in appsettings.json § Log settings can be overwritten via environment variables § Implement logging best practices for containers § Always log to console (STDOUT) § Use JSON format for logging § You can also use logging frameworks like Serilog or log4net

13. Build container images

14. CONTAINER IMAGE Why should container images be small? § Performance

    and efficiency § Small images make the moving faster (push/pull) § Improves the performance of the build and deployment § Security § Smaller image have less libraries and tools § Reduces the attack surface § Maintainability § Installing dependencies to a small base image gives you control over the dependency § Modifying dependencies becomes more easy

15. IMAGE SIZE ASP.NET Default Image

16. IMAGE SIZE ASP.NET Default Image The default image used is

    based on Debian Linux

17. IMAGE SIZE Reduce image size - Use Alpine base image

    § Alpine is a very small distro § Tools and libraries for debugging could be missing § Fast and easy change

18. § Trim application dependencies to a subset of the framework

    § Possible to publish the application as single file § Use alpine for best effort § Complex changes in Dockerfile IMAGE SIZE Reduce image size - Self containing .NET application

19. IMAGE SIZE Future with Ubuntu chiseled images § Distroless base

    images powered by Ubuntu § Previews available § .NET 7 nightly images § .NET 8 RC 1 § Features § Ultra-small size, which reduces the potential attack surface § No package manager or shell installed § Uses a non-root user by default Using .NET with Chiseled Ubuntu Containers | .NET Conf 2022 - YouTube

20. LINTING Container Image Best Practices § Analyze images against well-known

    best practices § Prevents developers to use anti-patterns § Enforce security best practices § Tools § Dockle (goodwithtech/dockle: Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start (github.com)) § Hadolint (hadolint/hadolint: Dockerfile linter, validate inline bash, written in Haskell (github.com)) § Hadolint VS Code Extension (hadolint - Visual Studio Marketplace)

21. BASE IMAGES Know the source Use trusthworthy images

22. DEMO Application configuration Docker image Image best practices

23. Container Security

24. CONTAINER SECURITY Attack surfaces of container applications § Container Host

    § Base Image § Application Image § Application § OWASP vulnerabilities § Outdated/vulnerable dependecies

25. SECURITY OPTIMIZATIONS Remove unused tools and libraries § Use a

    small image § Small images will not contain many distro tools § Minimizes attack vector § Most tools are not required to run your application

26. SECURITY OPTIMIZATIONS Run application as non-root § Restrict application execution

    to specific non-root user § Not allowed to install tools (e.g., via apt-get) § Not allowed to execute privileged scripts § Not allowed to adjust permissions § Not allowed to bind privilege ports § The non-root user will be restricted, even if the container itself is privileged § Container Compliance § CIS (Center for Internet Security) § NIST (National Institute of Standards and Technology) § Run the application as a specific user RUN adduser -u 5678 --disabled-password --gecos "" appuser && chown -R appuser /app USER appuser

27. RUN SECURE CONTAINERS Read-only file system § No changes to

    file system allowed § Prohibit attackers to download scripts (e.g. with curl) § Configurable for container execution § How to apply § Kubernetes: Set readOnlyRootFilesystem: true in yaml-Manifest § Docker: Run container with option --read-only § Warning: Some applications or dependencies need to write to the file system § E.g., for temp files, lock files § Solution: Use temporary file system (tmpfs, Docker) or ephemeral volumes (emptyDir, Kubernetes)

28. VULNERABILITY SCANNING Check for vulnerabilities § Risk Mitigation: Identify security

    risks before deploying to production § Early Detection: Catch vulnerabilities at an early stage of development § Third-Party Component Analysis: Get insights into the security of dependencies § Improved Security Hygiene: Encourages a culture of security awareness § Tools § Trivy (aquasecurity/trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more (github.com)) § Claire (quay/clair: Vulnerability Static Analysis for Containers (github.com)) § Snyk (Container vulnerability management and Kubernetes workload security | Snyk) § Docker Scout, Early access (Container Security Monitoring for Developers | Docker)

29. § Targets § Container Images § Filesystem § Kubernetes §

    and many more … § Scanners § OS packages and software dependencies in use (SBOM) § Known vulnerabilities (CVEs) § IaC issues and misconfigurations § Sensitive information and secrets § Software licenses VULNERABILITY SCANNING Trivy

30. VULNERABILITY SCANNING Resolve vulnerabilities in images § Check for updates

    of the base image § Use another base image with less depedencies § Use Copacetic to rectivy vulnerabilities § project-copacetic/copacetic: 🧵 CLI tool for directly patching container images using reports from vulnerability scanners (github.com)) § Use obtained knowledge to close gaps § Remove application dependencies § Update infrastructure (e.g., close firewall on port 22) § Run vulnerability checks frequently § Check images during CI/CD process § Many cloud providers have integrated vulnerability checks (e.g., Azure Container Registry)

31. SIGNING IMAGES Why signing container images § Integrity: Image downloaded

    matches image originally built § Non-repudiation: Be certained who created the image § Use well-known cryptographic signing mechanisms § Container registries supporting signed images § Docker Hub § Azure Container Registry § AWS Elastic Container Registry § Tools § Notation CLI (notaryproject/notation: A CLI tool to sign and verify artifacts (github.com)) § Sigstore Cosign (sigstore/cosign: Container Signing (github.com)) § Docker CLI Content Trust (Content trust in Docker | Docker Docs)

32. SIGNING IMAGES Notation § Notation CLI: Signing and verifying container

    images and OCI artifacts § Easy to use § Integration into CI/CD pipelines § Plugin system § Azure Key Vault (Azure/notation-azure-kv: Azure Provider for Notation CLI (github.com)) § AWS (Prerequisites for signing container images - AWS Signer (amazon.com))

33. SIGNING IMAGES Signing process Announcing Notation Azure Key Vault plugin

    v1.0 for signing container images (microsoft.com)

34. SIGNING IMAGES Policy awareness § Content Trust export DOCKER_CONTENT_TRUST=1 §

    Kubernetes policy configuration for singed images § Open Policy Agent § Kyverno

35. DEMO Run application as non-root Vulnerability scan Signing images

36. Multi-architecture images

37. MULTI-ARCHITECTURE IMAGES Advantages of multi-architecture images § Developers use different

    OS and architectures § ARM getting more popular § Performance benefits § Energy efficient § Cloud providers offer x64 and arm container environments § Azure Kubernetes Services § AWS Elastic Kubernetes Services

38. MULTI-ARCHITECTURE IMAGES Running Container Workloads x64 arm x64 arm docker

    buildx

39. MULTI-ARCHITECTURE IMAGES Ancient times - Not best practices! § Build

    an image for every platform § Dockerfile for every environment required § Building needs to be done individually for every environment § Requires a lot of maintenance § Tags required for multiple version of the same app § myapp:1.0.0-linux-x64 § myapp:1.0.0-linux-arm64 § myapp:1.0.0-windowsservercore-x64 § Create multi-arch manifest (optional) docker manifest create myapp:1.0.0 \ myapp:1.0.0-linux-x64 myapp:1.0.0-linux-arm64 myapp:1.0.0-windowsservercore-x64

40. MULTI-ARCHITECTURE IMAGES Nowadays multi-arch image Example: mcr.microsoft.com/dotnet/aspnet:7.0 architecture: amd64 os:

    linux architecture: arm os: linux variant: v7 architecture: arm64 os: linux architecture: amd64 os: windows os.version: 10.0.17763.4851 architecture: amd64 os: windows os.version: 10.0.20348.1970

41. MULTI-ARCHITECTURE IMAGES Use Docker Buildx § Docker Buildx is a

    tool to create multi-architecture images on the fly § Released in 2019 (included in Docker version 19.03) § Uses BuildKit to create images § Think of it as A single container image contains multiple versions of you application, each targeting a specific OS and architecture

42. MULTI-ARCHITECTURE IMAGES Configure buildx § Setting up a new builder

    docker buildx create --name mybuilder --platform linux/amd64,linux/arm64 --use § Check the new builder docker buildx inspect § Build multi-arch container docker buildx build --platform linux/amd64,linux/arm64 -t sample-app:1.0.0 . § Inspect multi-arch images docker buildx imagetools inspect sample-app:1.0.0

43. MULTI-ARCHITECTURE IMAGES Update DOCKERFILE for .NET applications § Use docker’s

    automatic platform args to configure platform and architecture settings § Dockerfile reference - Automatic platform ARGs in the global scope | Docker Docs § Set build platform FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:7.0 AS build § Add target architecture argument ARG TARGETARCH § Set architecture on dotnet build and publish RUN dotnet build "DotnetContainerOptimization.SampleApp.csproj" -c Release \ -a $TARGETARCH

44. DEMO Build multi-arch image

45. QUESTIONS?

46. Nehmen Sie Kontakt mit uns auf. www.abtis.d e +49 7231

    4431 - 100 [email protected] e abtis GmbH • Wilhelm-Becker-Straße 11b • 75179 Pforzheim © 2023 Alle Rechte vorbehalten. Dieses Dokument ist urheberrechtlich geschützt. Sämtliche Inhalte dienen der Dokumentation. Jede andere Nutzung, insbesondere die Weitergabe an Dritte, die Verbreitung oder die Bearbeitung, auch in Teilen, ist ohne schriftliche Einwilligung der abtis GmbH untersagt. Die verwendeten Firmen-, Marken- und Produktnamen und Warenzeichen sind eingetragene Markenzeichen oder Warenzeichen der jeweiligen Inhaber und werden hiermit anerkannt. Die abtis GmbH verfügt über mehr als 20 Jahre Erfahrung in der Planung und dem Betrieb von Microsoft Infrastrukturen und betreut bereits mehr als 100.000 Anwender:innen der Cloudplattformen Microsoft 365 und Azure. Ausgezeichnet als Microsoft Solutions Partner und MXDR Verified Partner mit 12 Advanced Specializations sind wir einer der wichtigsten Fokuspartner von Microsoft für den Mittelstand in Deutschland. Damit setzen wir ein starkes Zeichen als verlässlicher Partner und Vorreiter in der IT-Branche. Die abtis GmbH ist Teil der abtis Gruppe, die mit vier Tochterunternehmen und über 170 Mitarbeitenden ein fester Bestandteil der IT-Welt ist. Das Portfolio der abtis Gruppe umfasst die Kernthemen einer zukunftsorientierten IT: von Modern Workplace, über Datacenter, Security, Power Platform, Application Development, Industrial IoT, Adoption & Change Management bis hin zu Data & AI.

47. RESOURCES Links § daniellindemann/dotnet-container-optimization: Repository to show container optimizations for

    .NET applications (github.com) § Improving multi-platform container support - .NET Blog (microsoft.com)