-
Show
Program.cs
-
Show configurations
- Logging
- Options configuration
- Health probes
-
Explain how to add default docker files
- VS Code > Open command palette >
Docker: Add Docker Files to Workspace...
- VS Code > Open command palette >
-
Show
Dockerfile.default
- Explain multi-stage build
- Explain what happens
-
Build and run the default docker container image
-
Build:
docker build -t sample-app:1.0.0 -t sample-app:latest -f src/DotnetContainerOptimization.SampleApp/Dockerfile.default src/DotnetContainerOptimization.SampleApp
-
Run:
docker run --rm -it -p 5108:5108 sample-app:1.0.0
-
-
Show running
-
Update configuration via environment variables
-
Run:
docker run --rm -it -p 5108:5108 -e Greetings__To=guys sample-app:1.0.0
-
-
Update application host config (kestrel)
-
Run:
docker run --rm -it -p 5108:8222 -e ASPNETCORE_URLS=http://+:8222 -e Greetings__To='old grumpy cat' sample-app:1.0.0
-
-
Compare
Dockerfile.default
withDockerfile.alpine
- Show differences
-
Build
Dockerfile.default
-
Build:
docker build -t sample-app:1.0.0 -t sample-app:latest -f src/DotnetContainerOptimization.SampleApp/Dockerfile.default src/DotnetContainerOptimization.SampleApp
-
-
Build
Dockerfile.alpine
-
Build:
docker build -t sample-app-alpine:1.0.0 -t sample-app-alpine:latest -f src/DotnetContainerOptimization.SampleApp/Dockerfile.alpine src/DotnetContainerOptimization.SampleApp
-
-
Show size difference
-
Run
docker images | grep sample-app
-
-
Show more minimized self-contained image Dockerfile.self-contained
-
Explain the dockerfile
-
Build:
docker build -t sample-app-self-contained:1.0.0 -t sample-app-self-contained:latest -f src/DotnetContainerOptimization.SampleApp/Dockerfile.self-contained src/DotnetContainerOptimization.SampleApp
-
Show size differences
docker images | grep sample-app
-
Run:
docker run --rm -it -p 5108:5108 sample-app-self-contained:1.0.0
-
-
Show best practice errors of
dockerfile.alpine
-
Run:
dockle sample-app-alpine:1.0.0
-
-
Remove findings
-
Enable docker content trust
export DOCKER_CONTENT_TRUST=1
-
Add
HEALTHCEHCK
todockerfile.alpine
and explain
-
-
Build image again
-
Run dockle again
- Run application as non-root
- Show user creation in
dockerfile.alpine
- Show user creation in
- Run
trivy
against default image- Run:
trivy image sample-app:1.0.0
- Explain erros
- Run:
- Run
trivy
with severityHIGH
andCRITICAL
- Run:
trivy image sample-app:1.0.0 --severity HIGH,CRITICAL
- Run:
- Show image without any high or critical CVE
- Run:
trivy image sample-app-alpine:1.0.0 --severity HIGH,CRITICAL
- Run:
- Run
trivy
against default image- Run:
trivy image sample-app:1.0.0
- Run:
- Run
trivy
to create vulnarability scan result andcopacetic
to patch the image- Run:
trivy image --vuln-type os --ignore-unfixed -f json -o report.json sample-app:1.0.0 copa patch -i sample-app:1.0.0 -r report.json
- Run:
- Run
trivy
against patched image- Run:
trivy image sample-app:1.0.0-patched
- Run:
-
Ensure local registry is running
-
Run and explain scripts
-
add image to registry
./notation-add-image-to-local-registry.sh
-
Generate a test key and self-signed certificate
./notation-create-cert-self-signed.sh
-
Verify container image
./notation-sign-image.sh
-
Create a trust policy to verify against
notation-import-trust-policy.sh
-
Verify the image
./notation-verify-image.sh
-
-
(Optional) Show image signing and verification with Azure Key Vault and Azure Container Registry
- Ensure required Azure infra
- Run
azuredeploy.sh
- Run
- Explain
notation-azure-keyvault-sign-image.sh
- Run
notation-azure-keyvault-sign-image.sh
- Ensure required Azure infra
-
Create Builder
docker buildx create --name mybuilder --platform linux/amd64,linux/arm64 --use
-
Check the new builder
docker buildx inspect
-
Build multi-arch image from
Dockerfile.default-multi-arch
docker buildx build --platform linux/amd64,linux/arm64 -t sample-app:1.0.0 -f ./src/DotnetContainerOptimization.SampleApp/Dockerfile.default-multi-arch ./src/DotnetContainerOptimization.SampleApp
-
Build and push to ACR
-
Ensure required Azure infra
- Run
azuredeploy.sh
- Run
-
Login to acr
az acr login -n <acr name>
-
Build and push
docker buildx build --platform linux/amd64,linux/arm64 \ -t <acr url>/sample-app:1.0.0 \ --push \ -f ./src/DotnetContainerOptimization.SampleApp/Dockerfile.default-multi-arch ./src/DotnetContainerOptimization.SampleApp
-
Check the manifest with multi-arch details in manifest
-