August 16th, 2022
.NET 6 is now included in Ubuntu 22.04 (Jammy) and can be installed with just
apt install dotnet6. This change is a major improvement and simplification for Ubuntu users. We’re also releasing .NET with Chiseled Ubuntu Containers, a new small and secure container offering from Canonical. These improvements are the result of a new partnership between Canonical and Microsoft.
Here’s the commands to install the .NET 6 SDK on Ubuntu 22.04:
We’re also announcing that .NET 6 is available with Chiseled Ubuntu Containers. Our friends at Canonical have developed a new chisel approach for making ultra-small container images. We’re very excited about it. The Chiseled Ubuntu image is
100MB smaller than the Ubuntu images you’ve been using until now!
Here’s the command to pull the new ASP.NET Chiseled image:
We also updated our dotnetapp and aspnetapp samples so that you can try out .NET with Chiseled Ubuntu Containers.
These new container images significantly improve security posture:
To top that off, Canonical and Microsoft are committed to working together to ensure that new .NET releases are available with new Ubuntu releases and that they work well together. This includes security updates and secure delivery of container images.
We’re really excited that .NET 6 is available in Ubuntu 22.04 and that Canonical chose to work with us as their launch partner for Chiseled Ubuntu images. This is what Canonical had to say about the project.
“Ubuntu now has an end-to-end story from development to production with ultra-small supported container images, starting with the .NET platform”, said Valentin Viennot, Product Manager at Canonical. “We think it’s a huge improvement for both our communities; collaborating with the .NET team at Microsoft has enabled us to go above and beyond”.
Several months ago, folks at Canonical and Microsoft started working together with the goal of making Ubuntu an even better environment for .NET devs.
We had two main goals in mind:
We’ve known for years that many .NET devs use Ubuntu. After we got talking, it became obvious that there was a fair bit we could do to make that experience better. Let me tell you what we’ve delivered.
You can now install .NET 6 with APT, built by Canonical via source-build. These packages are available with Ubuntu 22.04 (Jammy) and later. It’s a great reason to upgrade to Jammy!
Note: Please checkout this advisory on using
packages.microsoft.com on Ubuntu 22.04 now that .NET 6 is included in Ubuntu.
There are multiple packages:
I’ll show you how to install these images using Docker (same model applies elsewhere):
In case that doesn’t work, you need the following source registered, in /etc/apt/sources.list:
Canonical and Microsoft will be working together to ensure that these packages are updated on the monthly .NET team release schedule. This includes Microsoft sharing CVE information (descriptions and code) with Canonical ahead of public releases. Similarly, Canonical will share security information in the other direction.
You can now use .NET in Chiseled Ubuntu Containers. Chiseling delivers the smallest container footprint while still being the Ubuntu you know and trust. It is similar to conventional distroless, with a tool that is customized for slicing
These images are
100MB smaller than the Ubuntu images we’ve offered until now and don’t include a root user!
We’re offering three layers of Chiseled Ubuntu container images, for Arm64 and x64, for .NET 6 and 7:
Note: The images will be offered in our
nightly repos while the chiseled offering is in preview. We’ll make another announcement when they are supported in production. It will be sometime this year, but we haven’t picked a timeframe, since we’ve been focused on basic enablement.
Canonical is also publishing Chiseled Ubuntu container images for .NET, that include the new APT packages, via Docker Hub:
Let’s take a look at the size win. All of the following sizes are uncompressed (on-disk, not registry/wire size).
And on the other end of the spectrum, the
That’s a truly amazing difference! The folks at Canonical have figured out how to drop 100MB of binaries and other content from these images. When we first started talking, we had no idea we’d be talking about this large of a difference!
Close readers will notice that chiseled
aspnet is smaller than the existing
runtime-deps layer. That’s shockingly good.
It’s reasonable to ask what Alpine looks like. It’s a newer distro designed to be super small and componentized from the start. Alpine is
aspnet:6.0-alpine. Those are impressive numbers, again uncompressed. That’s the key reason why Alpine is so popular (and why we’ve published .NET images for it for years).
Alpine is great (and we’re also friends with those folks), but it isn’t for everyone and every app since it uses musl, which is a different (and incompatible)
libc variant. That’s only important if your app includes native libraries. If it doesn’t (and most .NET apps don’t), you don’t need to worry about this detail. The .NET product itself is happy running with either
glibc and every PR on dotnet/runtime tests for both.
Putting this in perspective, this is really great news if you use Ubuntu for development and always wished for a small Ubuntu to deliver into production. You now have a straightforward path from dev box to cloud without any distro-compatibility surprises. It’s amazing (and quite surprising) to see Ubuntu in the same ballpark as Alpine. Kudos to the Canonical folks on a great engineering accomplishment.
It’s also worth mentioning that Chainguard is looking at minimal container images towards a secure future. That project is run out of the distroless GitHub org. We’re watching that project and glad to see more interest in small and more secure container images. We believe that minimal + non-root container images are the future.
Like our Alpine images, we’ve chosen not to include ICU. It would likely double the size of the image. That means that we’ve enabled globalization invariant mode. For some apps, that’s fine, and the size win is great. For others, it is a deal breaker. We may need to adjust this part of the plan depending on the feedback. We’ve documented the pattern to add ICU into your images.
Let me demo these images a bit to drive the point home on how (intentionally) limited these images are.
Let’s try again.
Huh? What’s up? They don’t work! That’s the point. These are appliance-like container images. They are stripped down to the minimum. They are only intended to do what you design them to do. That’s the aspect that makes them more secure. If this experience is uncomfortable, you can always use the regular Ubuntu images. We’ll continue to offer them. They are not going away.
We’re not offering a chiseled SDK image. It wasn’t obvious that there was a strong need. In fact, a chiseled SDK image could be hard to use for some scenarios. You can continue to use the existing Jammy SDK image:
mcr.microsoft.com/dotnet/sdk:6.0-jammy. If there is a need for a chiseled SDK image, we’ll be happy to reconsider.
For most apps, there won’t be any notable difference in using these new container images, in terms of what your
Dockerfile looks like.
We made updated our samples to use these new containers images:
I’ll show you how easy this is with dotnetapp.
The Dockerfile is barely different.
Only the final
FROM statement really differs from our standard Ubuntu Dockerfile.
I’ll now build the sample:
Note: I didn’t use any .NET trimming features. Certainly, this image could be made smaller.
Let’s launch the container:
And then, let’s try to break in:
My “red team” skills are failing me. Note that
docker exec would have the same result.
I’ll now describe chiseled images in a bit more detail now that you’ve seen them in action.
Chiseled Ubuntu Containers are the Canonical take on the distroless concept, originally popularized by Google. With the original implementation, a distro is stripped bare and only necessary packages are installed. Chiseling takes this one step forward by installing only the directories and files in each package that are necessary.
The other challenge with the original implementation was that it wasn’t necessarily supported by any party. Chiseled Ubuntu Containers are a first-class Canonical deliverable. That means you can use ultra-small container images and be supported as a Canonical customer.
Hats off to Google for getting us all started down this path.
As stated earlier, there is a lot of value to this approach:
Chiseled Ubuntu Containers are currently in preview. We’ll make a separate announcement when they are stable and supported in production.
We’ve configured all of the new .NET Chiseled Ubuntu Containers with a non-root user. The images do not include the
root user or include root-elevating commands like
su. That means that it is not possible to exercise capabilities and operations that require
Non-root images are an additional security mitigation beyond removing a shell (like
bash). Non-root images are logically separate and complementary to running a daemon as rootless. Every reduction in privilege helps.
If you need access to privileged resources, you can add the
root user within your
Dockerfile. You are not prevented from that, but then that’s a specific security decision you’d be making.
Chiseled images are appliance-like and are not general-purpose. We felt that they offered us an opportunity to finally deliver non-root images. That’s informing our policy going forward. Appliance-like images will be delivered as non-root and general-purpose ones will be delivered as per the policy of the base image (which might be configured with the
root user). However, this project with Canonical has inspired us to look at a middle-ground option, of offering non-root-capable images.
Canonical already has secure processes in place for directly delivering Ubuntu Virtual Machine images to Azure for customers to use. It occurred to us that Canonical could do the same thing with the Ubuntu container base images that we use to build Ubuntu-based .NET images (regular and Chiseled). That’s what we’re now using, instead of pulling from Docker Hub. We now have what’s effectively a zero-distance supply chain for all Canonical assets with known custody/provenance throughout.
We’re doing something similar with sharing CVE fixes. We have a shared private virtual mono repo for sharing monthly patches. It’s also shared with Red Hat. It means we can work together on getting the correct fixes in place at the right time in a coordinated way.
.NET container images are not yet signed, but that’s coming relatively soon. We’re regularly working to improve our security-focused capabilities.
Canonical and Microsoft have been working together to give you a better experience. This includes support. You can report issues in the familiar .NET repos like dotnet/core and dotnet/runtime. If you want commercial support, you should start with Canonical support. Canonical is the best position to support Ubuntu packages. Canonical may contact Microsoft to assist with resolving issues, as needed.
Security researchers that find vulnerabilities in Canonical-provided .NET packages are still eligible for the Microsoft .NET Bounty Program.
Microsoft continues to maintain .NET packages in its packages.microsoft.com feed for Ubuntu and we intend to continue that going forward. For most users, we recommend using the
dotnet6 packages that come with Ubuntu Jammy+. That’s what I’ll be doing. It’s also the same guidance we have for Red Hat users.
Note: Please checkout this advisory on using
packages.microsoft.com on Ubuntu 22.04 now that .NET 6 is included in Ubuntu.
There are two main reasons to continue to use the Microsoft packages:
The new packages are available for .NET 6+ and Ubuntu 22.04+. Previous .NET and Ubuntu versions are not supported (with the new packages). You must use the existing
packages.microsoft.com feed to use .NET on earlier Ubuntu versions. Separately, earlier .NET versions are not supported on Ubuntu 22.04 because they do not support OpenSSL v3.
We have identified a number of opportunities to make it easier for Canonical to consume .NET source. We’re going to focus on those in the immediate term. These improvements will also benefit other users who build and distribute .NET from source.
We recently setup a distro-maintainer group for .NET. Canonical is a member of that group. We have already started discussing potential source-build improvements within that forum. Other distros (that build .NET from source) are welcome to join. Contact email@example.com for more information.
Canonical is starting out with support for x64 and will quickly add .NET packages for Arm64. It’s an exciting time in the industry with multiple mainline chip architectures to support. Ubuntu and .NET both have a long history of supporting multiple architectures.
.NET has been open source for just over 5 years now. A partnership with Canonical was felt out of grasp during the early days of our project on GitHub. We’ve learned a lot about how to structure an OSS project so that it is a candidate for inclusion in a Linux distro. This is thanks to our other partners who have taught us a lot, particularly Fedora and Red Hat. Looking back, it is easy to see that open source, trust, and industry relationships are even more important now than they were when we started. We’re excited and honored to be working with Canonical.
Log in to join the discussion.
It will be useful to list aplications which now are available for Ubuntu users with .net 6.0
That is an interesting question. There are obviously no .NET 6 app packages yet, since the platform packages just arrived. However, an app like Jellyfin — https://jellyfin.org/ — now has the opportunity to publish packages on top. I hope to see a bunch of that happen now.
Still waiting when MAUI/Xamarin.Forms will work with Linux and ShareX will be ported
Understood. I’ll make sure the MAUI folks see this.
That is awesome. .NET is great and with those features and images for Linux makes it easier to make the apps run on Linux.
All this just confirms that I choose a great platform to develop my apps!
For sure! We’re trying to make good choices and partner with great companies/organizations that benefit .NET devs.
“.NET SDK workloads are not available in packages (for any Linux distro).”
There are some plan to add workload support? What about wasm-aot?
I already can build and run a .NET 6 Android app through Rider, so workload support seems very important for Linux users.
Yes. It is clearly important to deliver workload support for Linux. I’m not super close to that space, so I don’t have anything to share.
I’m waiting Maui support for linux platform
Aperfeiçoem o Office
Open Document Format = model only pattern font
***** ODF – Open Document Format
for Office Applications = Documento de Formato Aberto. (use a mesma fonte em todos os Offices alternativos e Android) .
ODT para documentos de texto
ODS para planilhas eletrônicas
ODP para apresentações de slides
PDF Portable Document format
I’m sorry, but I don’t understand what you are asking for.
Will there also be a
dotnet meta-package that installs the latest .NET (6/7/8/etc)? I would find this useful.
We have avoided those models since it usually results in people experiencing breaking changes when they don’t expect them.
Do you also have plans to work with Raspberry Pi Foundation to bring same kind of .net 6/7 support to Raspberry Pi OS?
Great question. This topic has occurred to us. We’re certainly open to it. We likely need to make .NET significantly cheaper to build to make it attractive the Raspberry Pi Foundation, first. Certainly, we’re more than open to this conversation.
Wonderful news , absolutely loved it. One last thing: we, the dotnet developers on Ubuntu, also need to make dotnet GUI apps for Windows, Mac, Linux, and Mobile. Please bring MAUI to Linux. The dotnet developers on Mac can build with MAUI. The dotnet developers on Ubuntu can’t. Bringing MAUI to Linux will complete the dotnet developer’s universe.
Very excited to see .NET so cleanly available to developers! The workflow for building .NET Docker images to run on AKS should now be very neat 🙂 Thank you to the .NET team for the collaboration needed to establish LTS support for .NET 6 too!
Keen to get feedback on the new chiselled Ubuntu approach to Docker images, if folks have additional debs they would like to slice for Docker image building then please do make a PR to chisel, where the slice definitions are maintained.
Thanks for stopping by! Same on the excitement.
This is a good opportunity to say that the working the Canonical team has been fantastic. It was very easy and quick to getting to the point of speaking the same language and that we have overlapping goals. I’m amazed at how much we were able to achieve together in a short time.
Awesome! As a .NET developer using Ubuntu on my personal devices, anything that makes development and deploying on Linux better is appreciated! I’m definitely going to use these new images for deploying a Blazor web application in the future.
.NET Hello World
.NET Meetup Events
.NET API Browser
Web apps with ASP.NET Core
Mobile apps with Xamarin.Forms
Microservices with Docker Containers
Modernizing existing .NET apps to the cloud
Enter the destination URL
Or link to existing content
.NET 6 is now in Ubuntu 22.04 – .NET Blog – Microsoft.NET 6 is now in Ubuntu 22.04 – .NET Blog – Microsoft https://eliteenterprisesoftware.com/wp-content/uploads/2022/09/wp-header-logo-79.png 0 0 Alan Dickson https://secure.gravatar.com/avatar/6162a8bbc0c962bebd372efbc1908402?s=96&d=mm&r=g