# syntax=docker/dockerfile:1.7 # Hardened multi-stage template for StellaOps services # Parameters are build-time ARGs so this file can be re-used across services. ARG SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0-bookworm-slim ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0-bookworm-slim ARG APP_PROJECT=src/Service/Service.csproj ARG CONFIGURATION=Release ARG PUBLISH_DIR=/app/publish ARG APP_BINARY=StellaOps.Service ARG APP_USER=stella ARG APP_UID=10001 ARG APP_GID=10001 ARG APP_PORT=8080 FROM ${SDK_IMAGE} AS build ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \ DOTNET_NOLOGO=1 \ SOURCE_DATE_EPOCH=1704067200 WORKDIR /src # Expect restore sources to be available offline via local-nugets/ COPY . . RUN dotnet restore ${APP_PROJECT} --packages /src/local-nugets && \ dotnet publish ${APP_PROJECT} -c ${CONFIGURATION} -o ${PUBLISH_DIR} \ /p:UseAppHost=true /p:PublishTrimmed=false FROM ${RUNTIME_IMAGE} AS runtime # Create non-root user/group with stable ids for auditability RUN groupadd -r -g ${APP_GID} ${APP_USER} && \ useradd -r -u ${APP_UID} -g ${APP_GID} -d /var/lib/${APP_USER} ${APP_USER} && \ mkdir -p /app /var/lib/${APP_USER} /var/run/${APP_USER} /tmp && \ chown -R ${APP_UID}:${APP_GID} /app /var/lib/${APP_USER} /var/run/${APP_USER} /tmp WORKDIR /app COPY --from=build --chown=${APP_UID}:${APP_GID} ${PUBLISH_DIR}/ ./ # Ship healthcheck helper; callers may override with their own script COPY --chown=${APP_UID}:${APP_GID} ops/devops/docker/healthcheck.sh /usr/local/bin/healthcheck.sh ENV ASPNETCORE_URLS=http://+:${APP_PORT} \ DOTNET_EnableDiagnostics=0 \ DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 \ COMPlus_EnableDiagnostics=0 \ APP_BINARY=${APP_BINARY} USER ${APP_UID}:${APP_GID} EXPOSE ${APP_PORT} HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \ CMD /usr/local/bin/healthcheck.sh # Harden filesystem; deploys should also set readOnlyRootFilesystem true RUN chmod 500 /app && \ find /app -maxdepth 1 -type f -exec chmod 400 {} \; && \ find /app -maxdepth 1 -type d -exec chmod 500 {} \; # Use shell form so APP_BINARY env can be expanded without duplicating the template per service ENTRYPOINT ["sh","-c","exec ./\"$APP_BINARY\""]