Is there any vulnerability or security issues in Chiseled images build with multistage docker file.

[Amit-limbasiya]

I am confused about the security issues or vulnerabilities in the custom chiseled images built with the multistage docker file.
I have requirements like I need the container image of the application having chiseled base images plus a new relic dotnet agent installed in it.

As a security purpose, chiseled images removed all the commands like curl, wget, rm, apt, apt-get etc. And it builds a non-interactive image container. So I choose the approach where I build a custom base image(docker file is attached below) in which, in first stage I used debian:bookworm-slim image which will have the commands that are used to install the agent and the final image is aspnet:8.0-jammy-chiseled-extra chiseled image.

So the question is, Is there any security issue or vulnerability in the created custom base image? Also, the created custom base image can be considered as aspnet:8.0-jammy-chiseled-extra image with new relic agent installed?

Dockerfile of custom base image with newrelic dotnet agent installed.

FROM debian:bookworm-slim AS newrelic
ARG ENVIRONMENT_NAME
ENV ENVIRONMENT_NAME ${ENVIRONMENT_NAME}
RUN apt-get update && apt-get install -y procps wget ca-certificates gnupg \
    && rm -rf /var/lib/apt/lists/*
RUN apt-get update \
    && echo 'deb http://apt.newrelic.com/debian/ newrelic non-free' | tee /etc/apt/sources.list.d/newrelic.list \
    && wget https://download.newrelic.com/548C16BF.gpg \
    && apt-key add 548C16BF.gpg \
    && apt-get update \
    && apt-get install -y newrelic-dotnet-agent \
    && rm -rf /var/lib/apt/lists/*

FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-extra AS base
COPY --from=newrelic /usr/local/newrelic-dotnet-agent /usr/local/newrelic-dotnet-agent
ARG NEW_RELIC_KEY

# Enable the agent
ENV CORECLR_ENABLE_PROFILING=1 \
CORECLR_PROFILER={90232161-FGC2-4B31-B559-F6E5DA1CAB9A} \
CORECLR_NEWRELIC_HOME=/usr/local/newrelic-dotnet-agent \
CORECLR_PROFILER_PATH=/usr/local/newrelic-dotnet-agent/libNewRelicProfiler.so \
NEW_RELIC_LICENSE_KEY=$NEW_RELIC_KEY

USER app
WORKDIR /app
EXPOSE 8080
EXPOSE 8081

[richlander]

Is there any security issue or vulnerability in the created custom base image?

There are no images that are immune from security vulnerabilities. You are correct that chiseled images are good because they have fewer components so are subject to fewer CVEs.

apt-get install -y procps wget ca-certificates gnupg \

I can see that this is coming from newrelic docs. In your Dockerfile, this line doesn't seem to be doing anything useful since those packages are not preserved across the stages.

[richlander]

It isn't obvious to me how you will use SDK container publish while needing to add the newrelic agent. We don't have a model for pulling in additional binaries.

An interesting option for us to consider with SDK publish is to install additional packages, particularly global tools, in addition to the app. That would likely make your scenario work since newrelic is also distributed as a package.

@baronfel

[Amit-limbasiya]

It isn't obvious to me how you will use SDK container publish while needing to add the newrelic agent. We don't have a model for pulling in additional binaries.

I guess you are asking about dotnet publish scenario, if so, then the dotnet publish command gives the feasibility to define the base image(visit this link), which will be used for SDK container publish, there I will define this custom base image which will have the dotnet agent pre-installed.

[baronfel]

I tried to capture my thoughts on this in dotnet/sdk-container-builds#325 - right now the only thing the SDK tooling can do is shove things into PublishDir and put all of that into a single container layer. With more sophistication individual layers could be used to grab specific kinds of content and easily integrate them into the final container - this is the kind of thing that Google does with java debugging tools, and you could see use cases here for .NET tools, dotnet-diagnostics, etc - all while making use of shared, known image layers for maximal re-use and staleness-detection.

[richlander]

I responded at dotnet/sdk-container-builds#325.

I hope you understand @Amit-limbasiya that creating a base image is not a one-time thing. It would need to be updated very frequently (since security seems to be a primary concern). We officially update our images once/month with new .NET patches. We also update out images every time there is a base image update (like of Debian). That can happen multiple times per month. The only way to stay as secure as what you want is to use images that are updated at the same cadence as the official .NET images.