5

I have a file named Dockerfile-dev with this content:

#See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.

FROM mcr.microsoft.com/dotnet/core/sdk:3.1.102 AS build-env
WORKDIR /app

COPY . ./
RUN export DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0
# RUN dotnet restore
RUN dotnet publish -c Release -o out

# Build runtime image
FROM mcr.microsoft.com/dotnet/core/aspnet:3.1.2
WORKDIR /app
COPY --from=build-env /app/out .

ENTRYPOINT ["dotnet", "AspNetCore.dll"]

Running docker build -f Dockerfile-dev . fails on the dotnet publish command:

Step 5/9 : RUN dotnet publish -c Release -o out
 ---> Running in c20e3f3e8110
Microsoft (R) Build Engine version 16.4.0+e901037fe for .NET Core
Copyright (C) Microsoft Corporation. All rights reserved.

/usr/share/dotnet/sdk/3.1.102/NuGet.targets(123,5): error : Unable to load the service index for source https://api.nuget.org/v3/index.json. [/app/AspNetCore.sln]
/usr/share/dotnet/sdk/3.1.102/NuGet.targets(123,5): error :   The SSL connection could not be established, see inner exception. [/app/AspNetCore.sln]
/usr/share/dotnet/sdk/3.1.102/NuGet.targets(123,5): error :   The remote certificate is invalid according to the validation procedure. [/app/AspNetCore.sln]
The command '/bin/sh -c dotnet publish -c Release -o out' returned a non-zero code: 1

However, when I directly run dotnet publish -c Release -o out from the git bash terminal, that completes successfully. What could be causing this - is there any additional command I need to include in the Dockerfile to address permissions?

Here's the output from running docker info if it helps reveal anything:

Client:
 Debug Mode: false

Server:
 Containers: 7
  Running: 0
  Paused: 0
  Stopped: 7
 Images: 35
 Server Version: 19.03.12
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.19.76-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 1.945GiB
 Name: docker-desktop
 ID: YSLA:6VCF:UOAI:D5AI:QWRE:XE55:IHAU:347O:VOOL:ISH6:WO3G:UEZH
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 40
  Goroutines: 52
  System Time: 2020-08-12T01:31:50.272361169Z
  EventsListeners: 3
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine
Pat Needham
  • 5,698
  • 7
  • 43
  • 63
  • Have you looked at https://stackoverflow.com/questions/41185443/nuget-connection-attempt-failed-unable-to-load-the-service-index-for-source? It could be a proxy issue or SSL problem – Ben W Aug 12 '20 at 22:52
  • I've seen that post, yes, but it was for an unrelated issue. I thought this might have been due to being on a VPN, but even when not on it, this "command works on terminal, not via Docker" issue persists – Pat Needham Aug 13 '20 at 02:47

2 Answers2

1

I don't know what the issue is, but I might be able to help you solve it.

Here's the steps I would go through.

  1. Comment out everything in your Dockerfile from RUN dotnet publish... onwards.
  2. Build the image docker run build -t temp .
  3. Run the container in interactive mode docker run -it temp /bin/bash. You're now in the container and can test your commands in real time.
  4. Run dotnet publish -c Release -o out in the container. What happens? As someone else mentioned it could be proxy related. Try setting the http_proxy and https_proxy environment variables e.g. export http_proxy=http://example.role:1234. What happens if you run dotnet publish -c Release -o out after setting the proxy environment variables?
  5. If the above doesn't work, at least you're in a container terminal where the command is failing, so you can experiment a bit...

If it is a proxy issue, you can add the following to your Dockerfile:

ARG HTTP_PROXY
ENV http_proxy $HTTP_PROXY
ENV https_proxy $HTTP_PROXY
ENV no_proxy localhost,127.0.0.1

and then when you build your container pass --build-arg HTTP_PROXY=http://example.role:1234.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Ryan.Bartsch
  • 3,698
  • 1
  • 26
  • 52
0

This could be related to docker/for-win issue 4858 which mentions:

I used wrong certificate. The certificate to be used is the certificate authority certificate (root certificate) but I used the certificate issued to the system.
I generated the root certificate from the chain and imported to container.

Resolution: The ca certificate is named as ca-cert.crt. Added the following lines the Dockerfile.

COPY ca-cert.crt /usr/local/share/ca-certificates/ca-cert.crt 
RUN chmod 644 /usr/local/share/ca-certificates/ca-cert.crt && update-ca-certificates

(similar to this answer)
You can see here examples using volumes and secrets, but you might not need them in your case.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Note: https://github.com/dotnet/runtime/issues/31514#issuecomment-656044896 illustrates another possible cause. – VonC Aug 15 '20 at 16:45
  • where can I find, or how can I make the `ca-cert.crt` file? It doesn't exist in the repository I'm using (https://github.com/dawiddworak88/ASP.NET-Core-React-and-SSR) and there are no results when searching the C drive on my laptop for `*.crt` – Pat Needham Aug 17 '20 at 13:21
  • @PatNeedham That would be the certificate associated to your aspnet server (https://learn.microsoft.com/en-us/aspnet/core/security/docker-https?view=aspnetcore-3.1#certificates) – VonC Aug 17 '20 at 13:46