Ubuntu Chiseled Image: Issues with globalization and SQL Server connection

[akoken]

Hi,

We are currently experiencing issues with the Ubuntu Chiseled images we are using, particularly with the libicu package and SQL Server connection.

Fortunately, we were able to solve the libicu package issue with the help of @mthalman 's workaround found here. However, we are still encountering problems with SQL Server connection, specifically related to the TLS version we are using, as outlined in this issue.

We would like to apply a workaround that involves updating the openssl.cnf file, but we have been unable to do so as the Chiseled image does not have any shell or package manager. Are there any workarounds or alternative solutions that we could explore in order to update the openssl.cnf file?

We believe that these two cases may be common issues encountered by others using these images, and it would be extremely helpful to document the solutions to these problems.

Dockerfile:

FROM golang:1.18 as chisel

RUN git clone --depth 1 -b main https://github.com/canonical/chisel /opt/chisel
WORKDIR /opt/chisel
RUN go build ./cmd/chisel


FROM mcr.microsoft.com/dotnet/sdk:7.0-jammy AS build

RUN apt-get update \
    && apt-get install -y fdupes \
    && rm -rf /var/lib/apt/lists/*

COPY --from=chisel /opt/chisel/chisel /usr/bin/
COPY --from=mcr.microsoft.com/dotnet/nightly/runtime:7.0-jammy-chiseled / /runtime-ref

RUN mkdir /rootfs \
    && chisel cut --release "ubuntu-22.04" --root /rootfs \
        libicu70_libs \
    \
    # Remove duplicates from rootfs that exist in runtime-ref
    && fdupes /runtime-ref /rootfs -rdpN \
    \
    # Delete duplicate symlinks
    # Function to find and format symlinks w/o including root dir (format: /path/to/symlink /path/to/target)
    && getsymlinks() { find $1 -type l -printf '%p %l\n' | sed -n "s/^\\$1\\(.*\\)/\\1/p"; } \
    # Combine set of symlinks between rootfs and runtime-ref
    && (getsymlinks "/rootfs"; getsymlinks "/runtime-ref") \
        # Sort them
        | sort \
        # Find the duplicates
        | uniq -d \
        # Extract just the path to the symlink
        | cut -d' ' -f1 \
        # Prepend the rootfs directory to the paths
        | sed -e 's/^/\/rootfs/' \
        # Delete the files
        | xargs rm \
    \
    # Delete empty directories
    && find /rootfs -type d -empty -delete

WORKDIR /source

# copy csproj and restore as distinct layers
COPY *.csproj .
RUN dotnet restore

# copy and publish app and libraries
COPY . .
RUN dotnet publish -c release -o /app --no-restore


# final stage/image
FROM mcr.microsoft.com/dotnet/nightly/runtime:7.0-jammy-chiseled

ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false

COPY --from=build /rootfs /
WORKDIR /app
COPY --from=build /app .
ENTRYPOINT ["dotnet", "MyApp.dll"]

[richlander]

Can I confirm that everything with the regular jammy image?

[akoken]

Unfortunately, I was unable to get it to work with either 7.0-jammy or 7.0-alpine3.17, despite trying various approaches. However, it does work with 7.0-alpine3.16, as this version doesn't have the breaking change of OpenSSL 3 that caused the issue. I plan to discuss this matter with our database management team and ensure that TLS 1.2 is enabled on all of our SQL servers.

[mthalman]

Thanks for trying out the chiseled images. As you've experienced, they can be difficult to work with given the lack of shell. This is why multi-stage Dockerfiles are so useful in this context. You'll need to make all the necessary updates to the openssl.cnf file in a stage of the Dockerfile that is separate from the final, chiseled stage. In the Dockerfile you posted, this is what the build stage is used for because it has a shell.

Within the build stage you can make the necessary updates to the openssl.cnf as suggested in the SqlClient repo:

RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf \
    && sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1/g' /etc/ssl/openssl.cnf

Then in the final stage, you simply copy that file over from the build stage:

COPY --from=build /rootfs /
COPY --from=build /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf

[akoken]

Thank you for the helpful tip, @mthalman. That will probably work once we solve the issue I mentioned in my previous comment. I'd like to share that I noticed a missing configuration for MinProtocol in the 7.0-jammy image, and the SECLEVEL configuration contained a colon. Therefore, I updated the openssl.cnf file as shown below:

RUN sed -i '/^\[system_default_sect\]/a MinProtocol = TLSv1' /etc/ssl/openssl.cnf
RUN sed -i 's/DEFAULT:@SECLEVEL=2/DEFAULT:@SECLEVEL=1/g' /etc/ssl/openssl.cnf

I hope that this is not different in the chiseled images.

[richlander]

Please tell us how it works out. We're very interested to see the Chiseled images take off.

[akoken]

Hi @richlander,

I wanted to let you know that we've been using the chiseled images with a couple of microservices in our test environment for a while and it works great. Now we have smaller, more secure images having always-working DNS :) I'm looking forward to seeing the GA version coming out soon.