.NET 8 Preview 7: Breaking Changes for Alpine

.NET

.NET removes from Alpine Images the “krb5-libs” and “ca-certificates” packages

What exactly are krb5-libs?

Providing support for Kerberos secure networking is the "krb5-libs" package. Kerberos is a protocol that can be used on a network to authenticate users and services.

Why is this significant? If this package is removed, the .NET Alpine container images will not come pre-configured with the ability to use Kerberos secure networking.

Influence on the images of others: Kerberos is pre-installed on the images that come with popular Linux distributions like Debian and Ubuntu by default. Because of this, the removal of "krb5-libs" will not have any effect on .NET container images that are built on Debian or Ubuntu.

What exactly are ca-certificates?

The "ca-certificates" package includes the Certificate Authority (CA) certificates to validate encrypted web services’ legitimacy.

The following motivations behind this shift: A distinct package known as "ca-certificates-bundle" is already included in the Alpine base image, which serves as the foundation upon which the.NET Alpine container image is produced. The "ca-certificates" objective is fulfilled by this bundle, which consists of the essential CA certificate material.

Impact: Because the "ca-certificates-bundle" provides a comparable set of CA certificates, it is predicted that removing the "ca-certificates" package will not impact the majority of .NET applications. It is because the "ca-certificates" package has comparable certificates. It is anticipated that very few .NET applications, if any, will experience difficulties due to this change.

What exactly are these Alpine images?

Alpine images are a type of simple Docker image that is based on Alpine Linux. It is a Linux variant built around the musl libc and BusyBox. This BusyBox-based image is only 5 megabytes, but it provides access to a package repository that is significantly more comprehensive than those provided by competing BusyBox-based images. The image base that Alpine Linux provides for utilities and production applications is excellent. Additionally, because of its compact footprint, container startup times are cut down, and underlying system resources are utilized effectively. When optimizing for size, performance, and simplicity, many developers choose to use images based on Alpine because of the security-oriented nature of Alpine and the straightforward package management with apk. However, while thinking about Alpine, it is essential to maintain compatibility, as Alpine’s libc implementation may be different from the usual GNU libc that is typically used in other Linux distributions.

The Drive Behind This Change

The primary motivation for making the adjustments was to reduce the overall file size of the .NET 8 Alpine images. Several packages must be deleted to reach the desired result of a lower image size.

krb5-libs

This package is associated with the Kerberos protocol for secure networking.

It was determined that the Kerberos secure networking scenario is not utilized frequently enough to warrant its inclusion by default, which led to the decision to remove it from the default settings.

It was determined that removing this package would result in a size reduction of roughly 2.7 megabytes for the.NET 8 Alpine image.

ca-certificates

The "ca-certificates" package was removed, which lowered the.NET 8 Alpine image size even further by around 0.6 megabytes.

By removing these packages, we hope to give users an image that is less cumbersome and more streamlined, especially for those users who may not require these functionalities.

How can I put it back in place?

You can utilize the package manager of the Linux distribution on which the container is based to reinstall the ‘ca-certificates’ and ‘krb5-libs’ packages in a container. For instance, if the container is based on an Alpine Linux image, you can install the packages by using the ‘apk’ command:

apk add ca-certificates krb5-libs

If the container is based on an image of Debian or Ubuntu, you can install the packages by using the ‘apt-get’ command:

apt-get update
apt-get install ca-certificates krb5-user

Conclusion

The "krb5-libs" and "ca-certificates" packages are no longer included in .NET Alpine container images and have been removed.

Making changes to container images requires caution due to potential security risks and increased size. Understand the needs of applications within the container and maintain security. Test and verify functionalities when reinstalling packages. When using custom images, be prepared for ongoing maintenance and updates.

If you diverge from the official images provided by the .NET team, be prepared to manage and update your custom images as needed.