TODO
Highlight .net 6 as obsolete. Will not delete from ACR. Put the chiseled dotnet images Update Python to 3.13
Base Images
Docker images consist of layers. To save internal HCC2 storage, use common base images where possible. These images allow common layers to be shared, and they use the preferred C compiler (libc implementation). Alpine base images are not recommended unless you are certain their binary is compatible with the musl libc implementation. Google’s distroless images are ideal and lightweight Debian 10/11/12 images such as buster-slim are acceptable.
Sensia has provided a registry of verified images for use with specific HCC2 releases, below. Images that have 'build' in their name without including 'prod' are intended only for build purposes in the build stage of a Docker image. They include a number of build tools that expose additional unmitigated security vulnerabilities. They should never be used as the base layer for application images in a production device.
Info
For C# development it is recommended to use .Net 8, however, .Net 6 are still listed for legacy support.
C# (.net 8) containers
| Image Reference | Container Path |
|---|---|
| Production/Base | qratehcc2sdk.azurecr.io/dotnet-runtime:8.0-2024-04-03-proddebug |
| Debug | qratehcc2sdk.azurecr.io/dotnet-runtime:8.0-2024-04-03-proddebug |
| Build | qratehcc2sdk.azurecr.io/dotnet-sdk:8.0-2024-04-03-build |
C# (.net 6) Containers
| Image Reference | Container Path |
|---|---|
| Production/Base | qratehcc2sdk.azurecr.io/dotnet-runtime:6.0-2023-03-02-patched-proddebug |
| Debug | qratehcc2sdk.azurecr.io/dotnet-runtime:6.0-2023-03-02-patched-proddebug |
| Build | qratehcc2sdk.azurecr.io/dotnet-sdk:6.0-2023-03-02-build |
Python Containers
| Image Reference | Container Path |
|---|---|
| Production/Base | qratehcc2sdk.azurecr.io/static-debian12:262ae336-distroless-py-2024-04-27-prod |
| Debug | qratehcc2sdk.azurecr.io/python:3.12-slim-2024-04-19-debugbuild |
| Build | qratehcc2sdk.azurecr.io/python:3.12-slim-2024-04-19-debugbuild |
Google Distroless Images
Distroless images from Google are an ideal candidate for generating a release quality Docker container image for any chosen language. E.g., the static-debian12:262ae336-distroless-py-2024-04-27-prod above could be used to host other solutions.
Benefits
- They do not have a built-in shell, which makes them more secure.
- They only contain basic run-times needed for your application to run.
- Image size is only about 22MB.
- Images are available for C++, Python, Java, and Node.js.
- A debug version is available with a shell.
For HCC2 containerized applications, a Debian 10 (buster) or newer Distroless image is recommended. Reference – GitHub – GoogleContainerTools/distroless: Language focused Docker images, minus the operating system
Disadvantages
There is no package installer (apt). It is assumed that you are bundling an application that is not tightly coupled to services/packages on the OS.
Without a shell, the entrypoint cannot be a script. This can be limiting in situations where startup is complex or third-party binaries are involved.
Chiseled images
Much like the Google Distroless images, "chiseled" images are supported for Microsoft's .NET environment. They have roughly the same benefits and drawbacks. Sensia encourages the use of these images whenever possible, due to the reduced size and security exposure. Sensia hosts copies of the chiseled images already in use in the HCC2. Use them whenever possible to avoid base layer duplication in the device.
Alternatives
debian:buster-slim
| Image Reference | Container Path |
|---|---|
| Image | qratehcc2sdk.azurecr.io/debian:buster-slim-2024-04-19-debugprodbuild |
Alpine
The Alpine image is small, but has a shell (unnecessary in production) and uses musl instead of glibc, which means the language and any libraries you use need to be fully compatible with this libc interface to the OS.