Chiseled distribution containers are a new class of ultra-thin, hardened container images designed to improve security and reduce the attack surface. The 8.0-jammy-chiseled container, based on Ubuntu 22.04 "Jammy Jellyfish", strips away unnecessary components, making it a lean and secure choice for running .NET applications.
Distroless containers are lightweight container images that do not contain a traditional Linux distribution. Unlike standard container images, which typically include package managers, shells, and utilities, distroless images only include the necessary runtime and system libraries to run an application.
Introduction
Chiseled containers do not include a package manager, which reduces supply chain risks by preventing additional package installations inside the container. By default, they run as a non-root user, which improves security and minimizes the risk of privilege escalation attacks. These containers are also optimized for size and performance, containing only essential binaries, resulting in faster boot times and lower memory usage. They also lack a shell and have minimal dependencies, significantly reducing the attack surface and making them more resistant to exploits.
There are two key factors that affect container size: The base image for framework-dependent applications and the publishing option for standalone applications.
Trimmed ASP.NET images provide significant size reductions, with the smallest "composite" variant achieving further optimizations by refining parts of the .NET runtime. For self-contained applications, trimming removes unused .NET libraries, resulting in even smaller images.
The following slide from Microsoft shows the improvements in the size of the container.
Chiseled Containers
Because the mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled container does not include a package manager, additional dependencies cannot be easily installed at run time. This design choice enhances security and ensures immutability, but it also means that any required libraries must be present in the container or included as part of the application deployment.
Missing System Libraries
Most minimal container images provide all the necessary components to run .NET and TX Text Control without modification. However, this particular Chiseled image is more stripped down than usual and lacks certain common system libraries. One notable example is the gconv library, which is typically available on most Linux distributions. Since gconv is missing from this image, applications that rely on it must manually include it, either by using a multi-stage build process to copy it from another image, or by using a custom base image that includes the required libraries.
The gconv (GNU Conversion) library is part of the GNU C Library (glibc) and is responsible for character set conversion on Linux systems. It allows applications to convert text between different encodings, such as UTF-8, ISO-8859-1, UTF-16, and more. This is essential for software that needs to handle different languages and character sets, ensuring compatibility across systems with different locale settings. This system library is not available on this specific container, but it is used by TX Text Control.
Multi-Stage Build Process
The following multi-stage Docker file can now be used to install gconv on the popular Chiseled Linux distribution.
| # Multi-stage Dockerfile for .NET 8.0 Web App with gconv support | |
| # --- Stage 1: Extract gconv modules from a full Ubuntu image --- | |
| FROM ubuntu:22.04 AS builder | |
| # Install glibc to obtain the necessary gconv modules | |
| RUN apt-get update && apt-get install -y libc-bin \ | |
| && mkdir -p /gconv \ | |
| && cp -r /usr/lib/x86_64-linux-gnu/gconv /gconv/ | |
| # --- Stage 2: Base Image (Used for Debug Mode) --- | |
| FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled AS base | |
| # Copy extracted gconv modules from the builder stage | |
| COPY --from=builder /gconv/gconv /usr/lib/gconv | |
| # Set environment variable for gconv module path | |
| ENV GCONV_PATH=/usr/lib/gconv | |
| # --- Stage 3: Final Production Image --- | |
| FROM base AS final | |
| # Set working directory | |
| WORKDIR /app | |
| # Copy the published application from the build output | |
| COPY bin/Release/net8.0/publish/linux-x64/ . | |
| # Define the entry point for the application | |
| ENTRYPOINT ["dotnet", "tx_beta11.dll"] |
The first stage uses a full Ubuntu distribution where the required files are available. They are copied to the base stage, which is also used for the final container.
After building the container, the gconv library is available and TX Text Control can be used without any issues.
Conclusion
Chiseled distribution containers are a new class of ultra-thin, hardened container images designed to improve security and reduce the attack surface. The 8.0-jammy-chiseled container, based on Ubuntu 22.04 "Jammy Jellyfish", strips away unnecessary components, making it a lean and secure choice for running .NET applications. However, it lacks certain common system libraries, such as gconv, which are required by some applications. By using a multi-stage build process, developers can add these missing libraries to the container, ensuring compatibility with a wider range of software.
