{"id":127291,"date":"2022-08-16T15:22:41","date_gmt":"2022-08-16T15:22:41","guid":{"rendered":"https:\/\/news.microsoft.com\/?p=446966"},"modified":"2022-08-16T15:22:41","modified_gmt":"2022-08-16T15:22:41","slug":"net-6-is-now-in-ubuntu-22-04","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2022\/08\/16\/net-6-is-now-in-ubuntu-22-04\/","title":{"rendered":".NET 6 is now in Ubuntu 22.04"},"content":{"rendered":"<div class=\"row justify-content-center author-header\">\n<div class=\"col-md-4\">\n<div class=\"post-detail-avatar-section\">\n<div class=\"post-detail-avatar\"> <img loading=\"lazy\" decoding=\"async\" alt src=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2022\/08\/net-6-is-now-in-ubuntu-22-04.jpg\" class=\"avatar avatar-58 photo avatar-default lazyload\" height=\"58\" width=\"58\"><\/div>\n<p>Richard Lander<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"entry-meta entry-meta-layout\">\n<p> August 16th, 2022<span class=\"entry-meta-comment\"><a data-bi-name=\"jump-to-comments\" href=\"https:\/\/devblogs.microsoft.com\/dotnet\/dotnet-6-is-now-in-ubuntu-2204\/#comments\" aria-label=\"click to comments\" title=\"Jump to comments\"><i class=\"fabric-icon fabric-icon--Message\"><\/i>9<\/a><\/span><span class=\"entry-meta-comment\"><span class=\"post-like\" id=\"postLike-41598\"><span class=\"icon-like-dislike\"><a class=\"x-hidden-focus\" title=\"Login to like\" data-toggle=\"tooltip\" href=\"https:\/\/devblogs.microsoft.com\/dotnet\/wp-login.php?redirect_to=https%3A%2F%2Fdevblogs.microsoft.com%2Fdotnet%2Fdotnet-6-is-now-in-ubuntu-2204%2F\" data-bi-id=\"body\" data-bi-name=\"Login to like\"><span> 2<\/span><\/a><\/span><\/span><\/span><\/p>\n<\/p><\/div>\n<p><!-- .entry-meta --> <\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/dotnet\/announcing-net-6\/\">.NET 6<\/a> is now <a href=\"https:\/\/ubuntu.com\/blog\/install-dotnet-on-ubuntu\">included in Ubuntu 22.04 (Jammy)<\/a> and can be installed with just <code>apt install dotnet6<\/code>. This change is a major improvement and simplification for Ubuntu users. We\u2019re also releasing .NET with Chiseled Ubuntu Containers, a new small and secure container offering from Canonical. These improvements are the result of a new partnership between Canonical and Microsoft.<\/p>\n<p>Here\u2019s the commands to install the <a href=\"https:\/\/packages.ubuntu.com\/jammy-updates\/dotnet6\">.NET 6 SDK on Ubuntu 22.04<\/a>:<\/p>\n<pre><code class=\"language-bash\">sudo apt update\nsudo apt install dotnet6<\/code><\/pre>\n<p>We\u2019re also announcing that <a href=\"https:\/\/github.com\/ubuntu-rocks\/dotnet\">.NET 6 is available with Chiseled Ubuntu Containers<\/a>. Our friends at <a href=\"https:\/\/canonical.com\/\">Canonical<\/a> have developed a new <a href=\"https:\/\/github.com\/canonical\/chisel\">chisel<\/a> approach for making ultra-small container images. We\u2019re very excited about it. The Chiseled Ubuntu image is <code>100MB<\/code> smaller than the Ubuntu images you\u2019ve been using until now!<\/p>\n<p>Here\u2019s the command to pull the new ASP.NET Chiseled image:<\/p>\n<pre><code class=\"language-bash\">docker pull mcr.microsoft.com\/dotnet\/nightly\/aspnet:6.0-jammy-chiseled<\/code><\/pre>\n<p>We also updated our <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/main\/samples\/dotnetapp\/Dockerfile.chiseled\">dotnetapp<\/a> and <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/main\/samples\/aspnetapp\/Dockerfile.chiseled\">aspnetapp<\/a> samples so that you can try out .NET with Chiseled Ubuntu Containers.<\/p>\n<p>These new container images significantly improve security posture:<\/p>\n<ul>\n<li>Ultra-small images (reduced size and attack surface)<\/li>\n<li>No package manager (avoids a whole class of attacks)<\/li>\n<li>No shell (avoids a whole class of attacks)<\/li>\n<li>Non-root (avoids a whole class of attacks)<\/li>\n<\/ul>\n<p>To top that off, Canonical and Microsoft are committed to working together to ensure that new .NET releases are available with new Ubuntu releases and that they work well together. This includes security updates and secure delivery of container images.<\/p>\n<p>We\u2019re really excited that .NET 6 is available in Ubuntu 22.04 and that Canonical chose to work with us as their launch partner for Chiseled Ubuntu images. This is what Canonical had to say about the project.<\/p>\n<blockquote>\n<p>\u201cUbuntu now has an end-to-end story from development to production with ultra-small supported container images, starting with the .NET platform\u201d, said Valentin Viennot, Product Manager at Canonical. \u201cWe think it\u2019s a huge improvement for both our communities; collaborating with the .NET team at Microsoft has enabled us to go above and beyond\u201d.<\/p>\n<\/blockquote>\n<h2 id=\"canonical-and-microsoft\">Canonical and Microsoft<\/h2>\n<p>Several months ago, folks at Canonical and Microsoft started working together with the goal of making Ubuntu an even better environment for .NET devs.<\/p>\n<p>We had two main goals in mind:<\/p>\n<ul>\n<li>Simplify using .NET on Ubuntu.<\/li>\n<li>Shorten the supply chain between Canonical and Microsoft.<\/li>\n<\/ul>\n<p>We\u2019ve known for years that many .NET devs use Ubuntu. After we got talking, it became obvious that there was a fair bit we could do to make that experience better. Let me tell you what we\u2019ve delivered.<\/p>\n<h2 id=\"net-in-apt\">.NET in APT<\/h2>\n<p>You can now install <a href=\"https:\/\/ubuntu.com\/blog\/install-dotnet-on-ubuntu\">.NET 6 with APT<\/a>, built by Canonical via <a href=\"https:\/\/github.com\/dotnet\/source-build\">source-build<\/a>. These packages are available with Ubuntu 22.04 (Jammy) and later. It\u2019s a great reason to upgrade to <a href=\"https:\/\/ubuntu.com\/blog\/ubuntu-22-04-lts-released\">Jammy<\/a>!<\/p>\n<blockquote>\n<p>Note: Please checkout this <a href=\"https:\/\/github.com\/dotnet\/core\/issues\/7699\">advisory on using <code>packages.microsoft.com<\/code> on Ubuntu 22.04<\/a> now that .NET 6 is included in Ubuntu.<\/p>\n<\/blockquote>\n<p>There are <a href=\"https:\/\/packages.ubuntu.com\/search?suite=default&amp;section=all&amp;arch=any&amp;keywords=dotnet&amp;searchon=names\">multiple packages<\/a>:<\/p>\n<p>I\u2019ll show you how to install these images using Docker (same model applies elsewhere):<\/p>\n<pre><code class=\"language-bash\">rich@kamloops:~$ docker run --rm -it ubuntu:jammy\nroot@7d4dfca0ef55:\/# apt update &amp;&amp; apt install -y dotnet6\nroot@7d4dfca0ef55:\/# dotnet --version\n6.0.108<\/code><\/pre>\n<p>In case that doesn\u2019t work, you need the following source registered, in \/etc\/apt\/sources.list:<\/p>\n<pre class=\"prettyprint\">deb http:\/\/archive.ubuntu.com\/ubuntu\/ jammy-updates universe<\/pre>\n<p>Canonical and Microsoft will be working together to ensure that these packages are updated on the monthly .NET team release schedule. This includes Microsoft sharing <a href=\"https:\/\/github.com\/dotnet\/core\/blob\/main\/release-notes\/6.0\/cve.md\">CVE information<\/a> (descriptions and code) with Canonical ahead of public releases. Similarly, Canonical will share security information in the other direction.<\/p>\n<p>Notes:<\/p>\n<ul>\n<li>We\u2019re currently missing Arm64 builds. Those will be coming soon. Both companies are strong proponents of Arm64.<\/li>\n<li>.NET 7 builds are not yet available, and likely won\u2019t be until .NET 7 GA.<\/li>\n<li><a href=\"https:\/\/github.com\/dotnet\/designs\/blob\/main\/accepted\/2020\/workloads\/workloads.md\">.NET SDK workloads<\/a><span> are not available in packages (for any Linux distro). Also, the .NET MAUI workloads isn\u2019t supported on Linux.<\/span><\/li>\n<\/ul>\n<h2 id=\"net-in-chiseled-ubuntu-containers\">.NET in Chiseled Ubuntu Containers<\/h2>\n<p>You can now use <a href=\"https:\/\/github.com\/ubuntu-rocks\/dotnet\">.NET in Chiseled Ubuntu Containers<\/a>. Chiseling delivers the smallest container footprint while still being the Ubuntu you know and trust. It is similar to conventional <a href=\"https:\/\/hackernoon.com\/distroless-containers-hype-or-true-value-2rfl3wat\">distroless<\/a>, with a tool that is customized for slicing <code>.deb<\/code> packages.<\/p>\n<p>These images are <code>100MB<\/code> smaller than the Ubuntu images we\u2019ve offered until now and don\u2019t include a root user!<\/p>\n<p>We\u2019re offering three layers of Chiseled Ubuntu container images, for Arm64 and x64, for .NET 6 and 7:<\/p>\n<ul>\n<li><code>mcr.microsoft.com\/dotnet\/nightly\/runtime-deps:6.0-jammy-chiseled<\/code><\/li>\n<li><code>mcr.microsoft.com\/dotnet\/nightly\/runtime:6.0-jammy-chiseled<\/code><\/li>\n<li><code>mcr.microsoft.com\/dotnet\/nightly\/aspnet:6.0-jammy-chiseled<\/code><\/li>\n<\/ul>\n<p>Note: The images will be offered in our <code>nightly<\/code> repos while the chiseled offering is in preview. We\u2019ll make another announcement when they are supported in production. It will be sometime this year, but we haven\u2019t picked a timeframe, since we\u2019ve been focused on basic enablement.<\/p>\n<p>Canonical is also publishing Chiseled Ubuntu container images for .NET, that include the new APT packages, via Docker Hub:<\/p>\n<ul>\n<li>https:\/\/hub.docker.com\/r\/ubuntu\/dotnet-deps<\/li>\n<li>https:\/\/hub.docker.com\/r\/ubuntu\/dotnet-runtime<\/li>\n<li>https:\/\/hub.docker.com\/r\/ubuntu\/dotnet-aspnet<\/li>\n<\/ul>\n<p>Let\u2019s take a look at the size win. All of the following sizes are uncompressed (on-disk, not registry\/wire size).<\/p>\n<p>First, the <code>runtime-deps<\/code> layer.<\/p>\n<ul>\n<li>Ubuntu 22.04 (Jammy): <code>112MB<\/code><\/li>\n<li>Chiseled Ubuntu 22.04 (Jammy): <code>12.9MB<\/code><\/li>\n<\/ul>\n<p>And on the other end of the spectrum, the <code>aspnet<\/code> layer.<\/p>\n<ul>\n<li>Ubuntu 22.04 (Jammy): <code>213MB<\/code><\/li>\n<li>Chiseled Ubuntu 22.04 (Jammy): <code>104MB<\/code><\/li>\n<\/ul>\n<p>That\u2019s a truly amazing difference! The folks at Canonical have figured out how to drop 100MB of binaries and other content from these images. When we first started talking, we had no idea we\u2019d be talking about this large of a difference!<\/p>\n<p>Close readers will notice that chiseled <code>aspnet<\/code> is smaller than the existing <code>runtime-deps<\/code> layer. That\u2019s shockingly good.<\/p>\n<p>It\u2019s reasonable to ask what <a href=\"https:\/\/alpinelinux.org\/\">Alpine<\/a> looks like. It\u2019s a newer distro designed to be super small and componentized from the start. Alpine is <code>9.84MB<\/code> for <code>runtime-deps:6.0-alpine<\/code> and <code>100MB<\/code> for <code>aspnet:6.0-alpine<\/code>. Those are impressive numbers, again uncompressed. That\u2019s the key reason why Alpine is so popular (and why we\u2019ve published .NET images for it for years).<\/p>\n<p>Alpine is great (and we\u2019re also <a href=\"https:\/\/pkgs.alpinelinux.org\/packages?name=dotnet*\">friends with those folks<\/a>), but it isn\u2019t for everyone and every app since it uses <a href=\"http:\/\/musl.libc.org\/\">musl<\/a>, which is a different (and incompatible) <code>libc<\/code> variant. That\u2019s only important if your app includes native libraries. If it doesn\u2019t (and most .NET apps don\u2019t), you don\u2019t need to worry about this detail. The .NET product itself is happy running with either <code>musl<\/code> or <a href=\"https:\/\/www.gnu.org\/software\/libc\/\"><code>glibc<\/code><\/a> and every PR on <a href=\"https:\/\/github.com\/dotnet\/runtime\">dotnet\/runtime<\/a> tests for both.<\/p>\n<p>Putting this in perspective, this is really great news if you use Ubuntu for development and always wished for a small Ubuntu to deliver into production. You now have a straightforward path from dev box to cloud without any distro-compatibility surprises. It\u2019s amazing (and quite surprising) to see Ubuntu in the same ballpark as Alpine. Kudos to the Canonical folks on a great engineering accomplishment.<\/p>\n<p>It\u2019s also worth mentioning that <a href=\"https:\/\/www.chainguard.dev\/\">Chainguard<\/a> is looking at <a href=\"https:\/\/blog.chainguard.dev\/minimal-container-images-towards-a-more-secure-future\/\">minimal container images towards a secure future<\/a>. That project is run out of the <a href=\"https:\/\/github.com\/distroless\">distroless<\/a> GitHub org. We\u2019re watching that project and glad to see more interest in small and more secure container images. We believe that minimal + non-root container images are the future.<\/p>\n<p>Like our <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/1297d21bbf695bcb87580bea2ccefdced894eeeb\/src\/runtime-deps\/3.1\/alpine3.16\/amd64\/Dockerfile#L19-L20\">Alpine images<\/a>, we\u2019ve chosen not to include <a href=\"https:\/\/icu.unicode.org\/\">ICU<\/a>. It would likely double the size of the image. That means that we\u2019ve enabled <a href=\"https:\/\/github.com\/dotnet\/runtime\/blob\/main\/docs\/design\/features\/globalization-invariant-mode.md\">globalization invariant mode<\/a>. For some apps, that\u2019s fine, and the size win is great. For others, it is a deal breaker. We may need to adjust this part of the plan depending on the feedback. We\u2019ve <a href=\"https:\/\/github.com\/ubuntu-rocks\/dotnet\/issues\/21\">documented the pattern<\/a> to add ICU into your images.<\/p>\n<p>Let me demo these images a bit to drive the point home on how (intentionally) limited these images are.<\/p>\n<pre><code class=\"language-bash\">% docker run --rm mcr.microsoft.com\/dotnet\/nightly\/runtime-deps:6.0-jammy-chiseled-amd64\ndocker: Error response from daemon: No command specified.\nSee 'docker run --help'.<\/code><\/pre>\n<p>Let\u2019s try again.<\/p>\n<pre><code class=\"language-bash\">% docker run --rm mcr.microsoft.com\/dotnet\/nightly\/runtime-deps:6.0-jammy-chiseled-amd64 bash\ndocker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: \"bash\": executable file not found in $PATH: unknown.<\/code><\/pre>\n<p>Huh? What\u2019s up? They don\u2019t work! That\u2019s the point. These are appliance-like container images. They are stripped down to the minimum. They are only intended to do what you design them to do. That\u2019s the aspect that makes them more secure. If this experience is uncomfortable, you can always use the regular Ubuntu images. We\u2019ll continue to offer them. They are not going away.<\/p>\n<p>We\u2019re not offering a chiseled SDK image. It wasn\u2019t obvious that there was a strong need. In fact, a chiseled SDK image could be hard to use for some scenarios. You can continue to use the existing Jammy SDK image: <code>mcr.microsoft.com\/dotnet\/sdk:6.0-jammy<\/code>. If there is a need for a chiseled SDK image, we\u2019ll be happy to reconsider.<\/p>\n<h2 id=\"using-chiseled-container-images\">Using chiseled container images<\/h2>\n<p>For most apps, there won\u2019t be any notable difference in using these new container images, in terms of what your <code>Dockerfile<\/code> looks like.<\/p>\n<p>We made updated our samples to use these new containers images:<\/p>\n<p>I\u2019ll show you how easy this is with <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/main\/samples\/dotnetapp\/Dockerfile.chiseled\">dotnetapp<\/a>.<\/p>\n<p>The Dockerfile is barely different.<\/p>\n<pre><code class=\"language-dockerfile\">FROM mcr.microsoft.com\/dotnet\/sdk:7.0-jammy AS build\nWORKDIR \/source # copy csproj and restore as distinct layers\nCOPY *.csproj .\nRUN dotnet restore --use-current-runtime # copy and publish app and libraries\nCOPY . .\nRUN dotnet publish -c Release -o \/app --use-current-runtime --self-contained false --no-restore # final stage\/image\nFROM mcr.microsoft.com\/dotnet\/nightly\/runtime:7.0-jammy-chiseled\nWORKDIR \/app\nCOPY --from=build \/app .\nENTRYPOINT [\"dotnet\", \"dotnetapp.dll\"]<\/code><\/pre>\n<p>Only the final <code>FROM<\/code> statement really differs from our standard <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/main\/samples\/dotnetapp\/Dockerfile.ubuntu-x64\">Ubuntu Dockerfile<\/a>.<\/p>\n<p>I\u2019ll now build the sample:<\/p>\n<pre><code class=\"language-bash\">rich@MacBook-Air-2 dotnetapp % pwd\n\/Users\/rich\/git\/dotnet-docker\/samples\/dotnetapp\nrich@MacBook-Air-2 dotnetapp % docker build -t dotnetapp-chiseled -f Dockerfile.chiseled .\nrich@MacBook-Air-2 dotnetapp % docker images | grep dotnetapp-chiseled\ndotnetapp-chiseled latest bf7e125bd182 20 seconds ago 90.5MB<\/code><\/pre>\n<p>Note: I didn\u2019t use any .NET trimming features. Certainly, this image could be made smaller.<\/p>\n<p>Let\u2019s launch the container:<\/p>\n<pre><code class=\"language-bash\">rich@MacBook-Air-2 dotnetapp % docker run --rm dotnetapp-chiseled 42 42 ,d ,d 42 42 42 ,adPPYb,42 ,adPPYba, MM42MMM 8b,dPPYba, ,adPPYba, MM42MMM\na8\" `Y42 a8\" \"8a 42 42P' `\"8a a8P_____42 42\n8b 42 8b d8 42 42 42 8PP\"\"\"\"\"\"\" 42 \"8a, ,d42 \"8a, ,a8\" 42, 42 42 \"8b, ,aa 42, `\"8bbdP\"Y8 `\"YbbdP\"' \"Y428 42 42 `\"Ybbd8\"' \"Y428 .NET 7.0.0-preview.7.22375.6\nLinux 5.10.104-linuxkit #1 SMP PREEMPT Thu Mar 17 17:05:54 UTC 2022 OSArchitecture: Arm64\nProcessorCount: 4\nTotalAvailableMemoryBytes: 3.83 GiB<\/code><\/pre>\n<p>And then, let\u2019s try to break in:<\/p>\n<pre><code class=\"language-bash\">rich@MacBook-Air-2 dotnetapp % docker run --rm --entrypoint bash dotnetapp-chiseled\ndocker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: \"bash\": executable file not found in $PATH: unknown.\nrich@MacBook-Air-2 dotnetapp % docker run --rm --entrypoint apt dotnetapp-chiseled install -y bash curl\ndocker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: \"apt\": executable file not found in $PATH: unknown.<\/code><\/pre>\n<p>My \u201cred team\u201d skills are failing me. Note that <code>docker exec<\/code> would have the same result.<\/p>\n<p>I\u2019ll now describe chiseled images in a bit more detail now that you\u2019ve seen them in action.<\/p>\n<h2 id=\"chiseled-ubuntu-containers\">Chiseled Ubuntu Containers<\/h2>\n<p>Chiseled Ubuntu Containers are the Canonical take on the distroless concept, originally <a href=\"https:\/\/github.com\/GoogleContainerTools\/distroless\">popularized by Google<\/a>. With the original implementation, a distro is stripped bare and only necessary packages are installed. Chiseling takes this one step forward by <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/fd39ea3eece8c8653348a717446ac41e93633784\/src\/runtime-deps\/6.0\/jammy-chiseled\/arm64v8\/Dockerfile#L29-L36\">installing only the directories and files in each package that are necessary<\/a>.<\/p>\n<p>The other challenge with the original implementation was that it wasn\u2019t necessarily supported by any party. Chiseled Ubuntu Containers are a first-class Canonical deliverable. That means you can use ultra-small container images and be supported as a Canonical customer.<\/p>\n<p>Hats off to Google for getting us all started down this path.<\/p>\n<p>As stated earlier, there is a lot of value to this approach:<\/p>\n<ul>\n<li>Ultra-small images (reduced size and attack surface)<\/li>\n<li>No package manager (avoids a whole class of attacks)<\/li>\n<li>No shell (avoids a whole class of attacks)<\/li>\n<\/ul>\n<p>Chiseled Ubuntu Containers are currently in preview. We\u2019ll make a separate announcement when they are stable and supported in production.<\/p>\n<h2 id=\"non-root-images\">Non-root images<\/h2>\n<p>We\u2019ve <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/blob\/fd39ea3eece8c8653348a717446ac41e93633784\/src\/runtime-deps\/6.0\/jammy-chiseled\/arm64v8\/Dockerfile#L13-L26\">configured all of the new .NET Chiseled Ubuntu Containers<\/a> with a <a href=\"https:\/\/stackoverflow.com\/questions\/59840450\/rootless-docker-image\">non-root<\/a> user. The images do not include the <code>root<\/code> user or include root-elevating commands like <code>sudo<\/code> or <code>su<\/code>. That means that it is not possible to exercise capabilities and operations that require <code>root<\/code>.<\/p>\n<p>Non-root images are an additional security mitigation beyond removing a shell (like <code>bash<\/code>). Non-root images are logically separate and complementary to running a <a href=\"https:\/\/docs.docker.com\/engine\/security\/rootless\/\">daemon as rootless<\/a>. Every <a href=\"https:\/\/seclists.org\/oss-sec\/2019\/q1\/119\">reduction in privilege helps<\/a>.<\/p>\n<p>If you need access to privileged resources, you can add the <code>root<\/code> user within your <code>Dockerfile<\/code>. You are not prevented from that, but then that\u2019s a specific security decision you\u2019d be making.<\/p>\n<p>Chiseled images are appliance-like and are not general-purpose. We felt that they offered us an opportunity to <a href=\"https:\/\/github.com\/dotnet\/dotnet-docker\/issues\/2249\">finally deliver non-root images<\/a>. That\u2019s informing our policy going forward. Appliance-like images will be delivered as non-root and general-purpose ones will be delivered as per the policy of the base image (which might be configured with the <code>root<\/code> user). However, this project with Canonical has inspired us to look at a middle-ground option, of <a href=\"https:\/\/github.com\/dotnet\/designs\/pull\/271\">offering non-root-capable images<\/a>.<\/p>\n<h2 id=\"secure-supply-chain\">Secure supply chain<\/h2>\n<p>Canonical already has secure processes in place for directly delivering Ubuntu Virtual Machine images to Azure for customers to use. It occurred to us that Canonical could do the same thing with the Ubuntu container base images that we use to build Ubuntu-based .NET images (regular and Chiseled). That\u2019s what we\u2019re now using, instead of pulling from Docker Hub. We now have what\u2019s effectively a zero-distance supply chain for all Canonical assets with known custody\/provenance throughout.<\/p>\n<p>We\u2019re doing something similar with sharing <a href=\"https:\/\/www.cve.org\/\">CVE<\/a> fixes. We have a shared private <a href=\"https:\/\/github.com\/dotnet\/source-build\/issues\/2956\">virtual mono repo<\/a> for sharing monthly patches. It\u2019s also shared with Red Hat. It means we can work together on getting the correct fixes in place at the right time in a coordinated way.<\/p>\n<p>.NET container images are not yet signed, but that\u2019s coming relatively soon. We\u2019re regularly working to improve our security-focused capabilities.<\/p>\n<h2 id=\"support\">Support<\/h2>\n<p>Canonical and Microsoft have been working together to give you a better experience. This includes support. You can report issues in the familiar .NET repos like <a href=\"https:\/\/github.com\/dotnet\/core\">dotnet\/core<\/a> and <a href=\"https:\/\/github.com\/dotnet\/runtime\">dotnet\/runtime<\/a>. If you want commercial support, you should <a href=\"https:\/\/ubuntu.com\/security\/docker-images\">start with Canonical support<\/a>. Canonical is the best position to support Ubuntu packages. Canonical may contact Microsoft to assist with resolving issues, as needed.<\/p>\n<p>Security researchers that find vulnerabilities in Canonical-provided .NET packages are still eligible for the <a href=\"https:\/\/www.microsoft.com\/msrc\/bounty-dot-net-core\">Microsoft .NET Bounty Program<\/a>.<\/p>\n<p>Microsoft continues to maintain .NET packages in its <a href=\"https:\/\/docs.microsoft.com\/dotnet\/core\/install\/linux\">packages.microsoft.com<\/a> feed for Ubuntu and we intend to continue that going forward. For most users, we recommend using the <code>dotnet6<\/code> packages that come with Ubuntu Jammy+. That\u2019s what I\u2019ll be doing. It\u2019s also the same guidance we have for Red Hat users.<\/p>\n<blockquote>\n<p>Note: Please checkout this <a href=\"https:\/\/github.com\/dotnet\/core\/issues\/7699\">advisory on using <code>packages.microsoft.com<\/code> on Ubuntu 22.04<\/a> now that .NET 6 is included in Ubuntu.<\/p>\n<\/blockquote>\n<p>There are two main reasons to continue to use the Microsoft packages:<\/p>\n<ul>\n<li>You specifically want .NET builds from Microsoft, not any other vendor.<\/li>\n<li>The Microsoft packages target later .NET SDK feature bands (like <code>6.0.4xx<\/code>) while source-build tracks <code>6.0.1xx<\/code>. That\u2019s more relevant for Windows users, but might be important for some Linux users.<\/li>\n<\/ul>\n<p>The new packages are available for .NET 6+ and Ubuntu 22.04+. Previous .NET and Ubuntu versions are not supported (with the new packages). You must use the existing <code>packages.microsoft.com<\/code> feed to use .NET on earlier Ubuntu versions. Separately, earlier .NET versions are not supported on Ubuntu 22.04 because they do not support OpenSSL v3.<\/p>\n<h2 id=\"whats-next\">What\u2019s Next?<\/h2>\n<p>We have identified a number of <a href=\"https:\/\/github.com\/dotnet\/source-build\/issues\/2911\">opportunities to make it easier for Canonical to consume .NET source<\/a>. We\u2019re going to focus on those in the immediate term. These improvements will also benefit other users who build and distribute .NET from source.<\/p>\n<p>We recently setup a distro-maintainer group for .NET. Canonical is a member of that group. We have already started discussing <a href=\"https:\/\/github.com\/dotnet\/source-build\/issues\/2911\">potential source-build improvements<\/a> within that forum. Other distros (that build .NET from source) are welcome to join. Contact dotnet@microsoft.com for more information.<\/p>\n<p>Canonical is starting out with support for x64 and will quickly add .NET packages for Arm64. It\u2019s an exciting time in the industry with multiple mainline chip architectures to support. Ubuntu and .NET both have a long history of supporting multiple architectures.<\/p>\n<h2 id=\"closing\">Closing<\/h2>\n<p>.NET has been open source for just over 5 years now. A partnership with Canonical was felt out of grasp during the early days of our project on GitHub. We\u2019ve learned a lot about how to structure an OSS project so that it is a candidate for inclusion in a Linux distro. This is thanks to our <a href=\"https:\/\/docs.microsoft.com\/dotnet\/core\/install\/linux#official-package-archives\">other partners<\/a> who have taught us a lot, particularly <a href=\"https:\/\/packages.fedoraproject.org\/search?query=dotnet\">Fedora<\/a> and <a href=\"https:\/\/access.redhat.com\/documentation\/en-us\/net\/6.0\">Red Hat<\/a>. Looking back, it is easy to see that open source, trust, and industry relationships are even more important now than they were when we started. We\u2019re excited and honored to be working with Canonical.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Richard Lander August 16th, 20229 2 .NET 6 is now included in Ubuntu 22.04 (Jammy) and can be installed with just apt install dotnet6. This change is a major improvement and simplification for Ubuntu users. We\u2019re also releasing .NET with Chiseled Ubuntu Containers, a new small and secure container offering from Canonical. These improvements are [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":127292,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[49],"tags":[543,50],"class_list":["post-127291","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-news","tag-developer-tools","tag-recent-news"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/127291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=127291"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/127291\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/127292"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=127291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=127291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=127291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}