Consider switching default port for ASP.NET Core to `8080` or `5000`

[richlander]

Currently, the default port for our images is port 80: https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/6.0/jammy/amd64/Dockerfile#L19

It isn't possible for non-root images to bind to port 80 or 443: containerd/containerd#2516. We should consider using only non-root ports so that it is easy to use our assets for both root and non-root scenarios.

There are a few things to consider:

• Folks will need to update script and manifests that do port mapping. As a result, it's an upgrade-time breaking change.
• Folks can straightforwardly opt-out by re-setting the ENV to what it is today in their layer.
• This change would bifurcate our runtime-deps Dockerfiles.
• 8080 might not be the best port to choose. 5000 might be a much better idea since that's the default port for dev.

Is it worth it? I think so. The motivation is embracing non-root as a key scenario.

I'm thinking that this change is a bit late for .NET 7. It's probably best left until .NET 8 Preview 1.

Related: dotnet/designs#271

[richlander]

@bradygaster @davidfowl @LadyNaggaga @glennc

[davidfowl]

How do other frameworks handle this? What do they recommended? Maybe we should just not set the port.

[richlander]

I just played with node.js in docker. It doesn't have this problem. I think it is because ASP.NET Core is being too fancy. AFAICT, it's security first posture is taking us down a bad path.

Today's behavior:

rich@kamloops:~$ docker run --rm -it -p 8000:80 mcr.microsoft.com/dotnet/samples:aspnetapp
      Now listening on: http://[::]:80

Don't set the ASPNETCORE_URLS ENV:

rich@MacBook-Air-2 ~ % docker run --rm -it -e ASPNETCORE_URLS= -p 5000:5000 mcr.microsoft.com/dotnet/samples:aspnetapp
      Now listening on: http://localhost:5000

I cannot access that port from outside of the container because that's a private loopback port.

I can outsmart that. I'll set the ENV but to 5000:

rich@MacBook-Air-2 ~ % docker run --rm -it -e ASPNETCORE_URLS=http://+:5000 -p 5000:5000 mcr.microsoft.com/dotnet/samples:aspnetapp
      Now listening on: http://[::]:5000

That works (obviously).

AFAICT, node.js is doing the same thing (not loopback) as this example but on port 3000. I'm far from a node.js expert. I followed this VS code tutorial -- https://code.visualstudio.com/docs/containers/quickstart-node -- and it worked perfectly w/o me needing to reason about the port.

rich@MacBook-Air-2 nod % docker run --rm -d -p 3000:3000 nodetest
d85b88fb88d613f8abaf68a12cfb875449db3df2a1c4a284c7bc15e31cce90e1
rich@MacBook-Air-2 nod % curl http://localhost:3000
<!DOCTYPE html><html><head><title>Express</title><link rel="stylesheet" href="/stylesheets/style.css"></head><body><h1>Express</h1><p>Welcome to Express</p></body></html>%  

I don't see any special ENVs in my Dockerfile or in the base image: https://hub.docker.com/_/node/. AFAICT, node.js does the right thing out of the box.

We made three distinct choices here that led to this poor outcome:

• Choose loopback as the default experience
• Make it complicated to say "upgrade from loopback to machine hosting on the default port".
• Choose port 80 as the default Docker experience

The first one may well have been the right choice. The second two are objectively problematic. Personally, it took me ages to figure out the ASPNETCORE_URLS ENV. It is objectively overly complicated for something that everyone needs to deal with.

Now that I think of it, we should create a new boolean ENV called something like ASPNETCORE_EXPOSE_PORT or ASPNETCORE_LOOPBACK. In addition, we could apply more logic into DOTNET_RUNNING_IN_CONTAINER to also mean this.

The whole thing again, in compressed form:

rich@MacBook-Air-2 ~ % docker run --rm --name aspnetapp -d -p 8000:80 mcr.microsoft.com/dotnet/samples:aspnetapp 
ad04c7a80793f0c577c42c86bf3eac926125b10208bb7f184e20e87b6193fb40
rich@MacBook-Air-2 ~ % curl http://localhost:8000/Environment
{"runtimeVersion":".NET 6.0.6","osVersion":"Linux 5.10.104-linuxkit #1 SMP PREEMPT Thu Mar 17 17:05:54 UTC 2022","osArchitecture":"Arm64","processorCount":4,"totalAvailableMemoryBytes":4108652544,"memoryLimit":0,"memoryUsage":0}%           rich@MacBook-Air-2 ~ % docker kill aspnetapp                 
aspnetapp
rich@MacBook-Air-2 ~ % docker run --rm --name aspnetapp -d -e ASPNETCORE_URLS= -p 8000:80 mcr.microsoft.com/dotnet/samples:aspnetapp

d5c24528f7b8c5e958ddc280a7e44db9c42cf72942288ad261787463c73af099
rich@MacBook-Air-2 ~ % curl http://localhost:8000/Environment
curl: (52) Empty reply from server
rich@MacBook-Air-2 ~ % docker kill aspnetapp
aspnetapp
rich@MacBook-Air-2 ~ % docker run --rm --name aspnetapp -d -e ASPNETCORE_URLS= -p 8000:5000 mcr.microsoft.com/dotnet/samples:aspnetapp

0e6b23bfc2919f7cad770566828c3cffcd504610cb6ed61e34876c06f6f52bc7
rich@MacBook-Air-2 ~ % curl http://localhost:8000/Environment   
curl: (52) Empty reply from server
rich@MacBook-Air-2 ~ % docker kill aspnetapp
aspnetapp
rich@MacBook-Air-2 ~ % docker run --rm --name aspnetapp -d -e ASPNETCORE_URLS=http://+:5000 -p 8000:5000 mcr.microsoft.com/dotnet/samples:aspnetapp
651374707de7889677f37fc7559d9f1afac03d89e986676f2b12a2c58c500a4c
rich@MacBook-Air-2 ~ % curl http://localhost:8000/Environment
{"runtimeVersion":".NET 6.0.6","osVersion":"Linux 5.10.104-linuxkit #1 SMP PREEMPT Thu Mar 17 17:05:54 UTC 2022","osArchitecture":"Arm64","processorCount":4,"totalAvailableMemoryBytes":4108652544,"memoryLimit":0,"memoryUsage":0}%           rich@MacBook-Air-2 ~ % docker kill aspnetapp
aspnetapp
rich@MacBook-Air-2 ~ % 

[davidfowl]

I thought the ASP.NET Core image set ASPNETCORE_URLS not runtime-deps, why is that?

ASPNETCORE_URLS is pretty nice to have out of the box as you can configure the scheme, listen address and port in a single url scheme without code changes. The other approach is putting it in code and knowing what the container's defaults are, this is what I've seen other frameworks lean towards.

I not against changing the default port in the container though from 80 to 5000 or something similar.

Is it worth it? I think so. The motivation is embracing non-root as a key scenario.

I don't have a good read, have we seen feedback pushing this scenario?

[richlander]

We set the ENV in the lowest layer due to self-contained apps and request for SDK scenarios.

I think you are missing my point. The whole need for this ENV is unnecessary complexity. It should be an advanced scenario, not required to get ASP.NET Core to work.

No call for this scenario yet because we have been pushing back on non-root to this point. We are now going to embrace it. I am looking at it for the first time and this is the first thing I noticed and now realize the ASP.NET Core has a design flaw that I am now seeing in a new light. I have always found this part of kestrel confusing and now I understand why.

This whole design point is informed by the (severe) mistake of IIS exposing port 80 to the network by default going back two decades. I think node has the right model and ASP.NET score is overcorrecting resulting in a bad trade off.

[davidfowl]

No call for this scenario yet because we have been pushing back on non-root to this point. We are now going to embrace it. I am looking at it for the first time and this is the first thing I noticed and now realize the ASP.NET Core has a design flaw that I am now seeing in a new light. I have always going this part of kestrel confusing and now I understand why.

The fix is simple right? Set ASPNETCORE_URLS, or hard code the listen urls in your application to listen on 0.0.0.0 (or + or *).

I think you are missing my point. The whole need for this ENV is unnecessary complexity. It should be an advanced scenario, not required to get ASP.NET Core to work.

I don't agree. Like I said the alternative is code in the application.

[richlander]

So why is the ASP.NET Core design point better than what node is doing? That is super unclear to me. The node approach seems objectively better.

The thing you propose seems super odd to me. What are people supposed to interpret that as meaning? It is so cryptic.

The other thing I realized is that the ENV we set is only for raw/bare http. That seems like another oddity. Why do we make folks do extra work to host with TLS? I assume node had a nicer story here, too.

[richlander]

Plenty of hits on this topic at StackOverflow: https://stackoverflow.com/search?q=ASPNETCORE_URLS

No one using node needs to ask this question.