Use online checksums for Linux .NET images (#6508)

Author: lbussell

eng/dockerfile-templates/Dockerfile.linux.download-appliance

@@ -0,0 +1,28 @@
+{{
+    _ Download, verify, extract, and clean up an "appliance" product
+
+    ARGS:
+        product         : Product name, e.g. "yarp", "aspire-dashboard", etc.
+        productVersion  : Version of the product that will be downloaded
+        download-url    : URL to download the product from
+        sha             : SHA512 checksum of the product archive
+        file-name       : Name of the file to download, e.g. "yarp.zip"
+        extract-to      : Directory where the product will be extracted to
+
+}}{{InsertTemplate("Dockerfile.linux.download-files", [
+    "files": [
+        ["url": ARGS["download-url"], "out-file": ARGS["file-name"]]
+    ]
+])}} \
+&& {{InsertTemplate("Dockerfile.linux.validate-checksum", [
+    "file": ARGS["file-name"],
+    "sha-function": "512",
+    "sha": ARGS["sha"],
+    "sha-var-name": cat(ARGS["product"], "_sha512")
+])}} \
+&& mkdir --parents {{ARGS["extract-to"]}} \
+&& {{InsertTemplate("Dockerfile.linux.extract-file", [
+    "file": ARGS["file-name"],
+    "dest-dir": ARGS["extract-to"]
+])}} \
+&& rm {{ARGS["file-name"]}}

eng/dockerfile-templates/Dockerfile.linux.download-dotnet

@@ -1,59 +1,103 @@
 {{
     _ ARGS:
-        download-url    : URL to download .NET from
+        product         : Product name, e.g. "dotnet", "aspnet", "sdk"
         extract-to      : Directory where .NET will be extracted
-        extract-paths   : (optional) Paths within the tarball to extract
-        out-file        : (optional) Name of the output file
+        extract-paths   : (optional) Paths within the .NET tarball to extract
+        ^
 
-        The following arguments groups are mutually exclusive:
+    set product to ARGS["product"] ^
 
-        sha                  : (optional) The checksum of the downloaded file
+    set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
+    set platform to when(isAlpine, "linux-musl", "linux") ^
 
-        sha-url              : (optional) URL to download checksum file
-        sha-url-is-aggregate : (optional) True if the checksum file contains more than one checksum,
-                               but we only want to validate the checksum of the file we downloaded
-        ^
+    set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
+    set productVersion to VARIABLES[cat("dotnet|", dotnetVersion, "|product-version")] ^
+    set buildVersion to VARIABLES[cat(product, "|", dotnetVersion, "|build-version")] ^
+
+    set baseUrl to VARIABLES[cat("dotnet|", dotnetVersion, "|base-url|", VARIABLES["branch"])] ^
+    set checksumsBaseUrl to VARIABLES[cat("dotnet|", dotnetVersion, "|base-url|checksums|", VARIABLES["branch"])] ^
+    set isInternal to find(baseUrl, "dotnetstage") >= 0 ^
+
+    if (product = "runtime"):{{
+        set downloadPath to cat("/Runtime/", buildVersion, "/dotnet-runtime-", buildVersion, "-", platform, "-", ARCH_SHORT, ".tar.gz")
+    }}^elif (product = "aspnet"):{{
+        set downloadPath to cat("/aspnetcore/Runtime/", buildVersion, "/aspnetcore-runtime-", buildVersion, "-", platform, "-", ARCH_SHORT, ".tar.gz")
+    }}^elif (product = "aspnet-composite"):{{
+        set downloadPath to cat("/aspnetcore/Runtime/", buildVersion, "/aspnetcore-runtime-composite-", buildVersion, "-", platform, "-", ARCH_SHORT, ".tar.gz")
+    }}^elif (product = "sdk"):{{
+        set downloadPath to cat("/Sdk/", buildVersion, "/dotnet-sdk-", buildVersion, "-", platform, "-", ARCH_SHORT, ".tar.gz")
+    }}^
+    set downloadUrl to cat(baseUrl, downloadPath) ^
+
+    set versionVariable to
+        when(product = "aspnet" || product = "aspnet-composite",
+            "aspnetcore_version",
+        when(product = "sdk",
+            "dotnet_sdk_version",
+            "dotnet_version")) ^
+    set versionVariableRef to cat("$", versionVariable) ^
+    set versionVariableValue to buildVersion ^
 
     set shaFunction to "512" ^
-    set urlParts to split(ARGS["download-url"], "/") ^
-    set fileName to
-        when(ARGS["out-file"],
-            ARGS["out-file"],
-            urlParts[len(urlParts) - 1]) ^
+    set urlParts to split(downloadUrl, "/") ^
+    set fileName to urlParts[len(urlParts) - 1] ^
 
     set fileNameParts to split(fileName, ".") ^
     set fileExtension to fileNameParts[len(fileNameParts) - 1] ^
 
-    set shaUrlParts to split(ARGS["sha-url"], "/") ^
+    _ For now the aggregate and bare checksum files are mutually exclusive, but
+      in the future we expect .NET 10 to have non-aggregate, non-bare checksum
+      files before the other .NET versions, so it's necessary to have a
+      separate condition for bare checksum files. ^
+    _ Aggregate checksum files are also not available for internal builds. ^
+    set shaUrlIsAggregate to (!isInternal && (dotnetVersion = "8.0" || dotnetVersion = "9.0")) ^
+    set shaUrlIsBare to (isInternal || dotnetVersion = "10.0") ^
+
+    set shaUrlPath to when(shaUrlIsAggregate,
+        VARIABLES[cat("dotnet|", dotnetVersion, "|aggregate-checksums")],
+        cat(downloadPath, ".sha512")) ^
+    set shaUrl to cat(checksumsBaseUrl, shaUrlPath) ^
+
+    set shaUrlParts to split(shaUrl, "/") ^
     set shaFileName to shaUrlParts[len(shaUrlParts) - 1] ^
 
-    set filesToDownload to
-        when(ARGS["sha-url"],
-            [
-                ["url": ARGS["download-url"]],
-                ["url": ARGS["sha-url"]]
-            ],
-            [
-                ["url": ARGS["download-url"], "out-file": ARGS["out-file"]]
-            ]
-        )
-
-}}{{
-    InsertTemplate("Dockerfile.linux.download-files", [
-        "files": filesToDownload
-    ])
-}}{{
-if (ARGS["sha"] || ARGS["sha-url"]): \
-&& {{
-    InsertTemplate("Dockerfile.linux.validate-checksum", [
-        "file": fileName,
-        "sha-function": shaFunction,
-        "sha": ARGS["sha"],
-        "sha-var-name": ARGS["sha-var-name"],
-        "sha-file": shaFileName,
-        "sha-file-is-aggregate": ARGS["sha-url-is-aggregate"]
-    ])
-}}}}{{
+    _ Replace occurrences of versions with references to the version variable ^
+    set downloadUrl to replace(downloadUrl, versionVariableValue, versionVariableRef) ^
+    set shaUrl to replace(shaUrl, versionVariableValue, versionVariableRef) ^
+    set shaFileName to replace(shaFileName, versionVariableValue, versionVariableRef) ^
+    set fileName to replace(fileName, versionVariableValue, versionVariableRef) ^
+
+    _ The .NET SDK has two versions associated with it - SDK version and Runtime version.
+      Aggregate checksum files are associated with the .NET runtime version, so if we're
+      installing the SDK we need to have a separate variable for the runtime version. ^
+    if (product = "sdk" && shaUrlIsAggregate):{{
+        set runtimeVersionVariable to "dotnet_version" ^
+        set runtimeVersionVariableRef to cat("$", runtimeVersionVariable) ^
+        set runtimeVersionVariableValue to VARIABLES[cat("runtime|", dotnetVersion, "|build-version")] ^
+
+        set downloadUrl to replace(downloadUrl, runtimeVersionVariableValue, runtimeVersionVariableRef) ^
+        set shaUrl to replace(shaUrl, runtimeVersionVariableValue, runtimeVersionVariableRef) ^
+        set shaFileName to replace(shaFileName, runtimeVersionVariableValue, runtimeVersionVariableRef) ^
+        set fileName to replace(fileName, runtimeVersionVariableValue, runtimeVersionVariableRef)
+    }}^
+
+    set filesToDownload to [
+        ["url": downloadUrl],
+        ["url": shaUrl]
+    ]
+
+}}{{versionVariable}}={{versionVariableValue}}{{if product = "sdk" && shaUrlIsAggregate: \
+&& {{runtimeVersionVariable}}={{runtimeVersionVariableValue}}}} \
+&& {{InsertTemplate("Dockerfile.linux.download-files", [
+    "files": filesToDownload
+])}} \
+&& {{InsertTemplate("Dockerfile.linux.validate-checksum", [
+    "file": fileName,
+    "sha-function": shaFunction,
+    "sha-file": shaFileName,
+    "sha-file-is-bare": shaUrlIsBare,
+    "sha-file-is-aggregate": shaUrlIsAggregate
+])}}{{
 if ARGS["extract-to"]: \
 && mkdir --parents {{ARGS["extract-to"]}} \
 && {{
@@ -62,10 +106,7 @@ if ARGS["extract-to"]: \
         "dest-dir": ARGS["extract-to"],
         "extract-paths": ARGS["extract-paths"]
     ])
-}}}}{{
-if (ARGS["sha-url"]): \
+}}}} \
 && rm \
     {{fileName}} \
-    {{shaFileName}}^
-else: \
-&& rm {{fileName}}}}
+    {{shaFileName}}

eng/dockerfile-templates/Dockerfile.linux.validate-checksum

@@ -17,28 +17,35 @@
                                 line with the expected checksum and the file name to validate,
                                 separated by one or two spaces. See `man cksum` or `man sha512sum` for
                                 details.
-
-        sha-file-is-aggregate : File containing a list of checksums. The file may contain one or more
-                                lines with expected checksums and file names separated by one or two
-                                spaces. One line must have a filename matching the file you wish to
-                                validate. See `man cksum` or `man sha512sum` for details.
+        sha-file-is-bare      : Whether the checksum file does not contain the file name.
+        sha-file-is-aggregate : Whether the checksum file contains more than one checksum. The file
+                                should contain one or more lines with expected checksums and file
+                                names separated by one or two spaces. One line must have a filename
+                                matching the file you wish to validate. See `man cksum` or
+                                `man sha512sum` for details.
         ^
 
     set isAlpine to find(OS_VERSION, "alpine") >= 0 ^
 
-    set shaValue to when(ARGS["sha-var-name"],
-        cat("$", ARGS["sha-var-name"]),
-        ARGS["sha"])
+    set shaValue to
+        when(ARGS["sha-file"] && ARGS["sha-file-is-bare"],
+            cat("$(cat ", ARGS["sha-file"],")"),
+        when(ARGS["sha-var-name"],
+            cat("$", ARGS["sha-var-name"]),
+            ARGS["sha"]))
 
 }}{{
-if ARGS["sha"]:{{
+if (ARGS["sha"] || (ARGS["sha-file"] && ARGS["sha-file-is-bare"])):{{
 if ARGS["sha-var-name"]:{{ARGS["sha-var-name"]}}='{{ARGS["sha"]}}' \
 && }}echo "{{shaValue}}  {{ARGS["file"]}}" | sha{{ARGS["sha-function"]}}sum -c -^
 elif (ARGS["file"]):{{
     if (ARGS["sha-file-is-aggregate"]):{{
+        _ As a temporary workaround, these commands need to normalize line endings in the checksum files.
+          Remove the `sed` and `gsub` calls when https://github.com/dotnet/core/issues/9958 is fixed. ^
         if (isAlpine)
             :awk -v file="{{ARGS["file"]}}" '{gsub(/\r/, "")} $2 == file' {{ARGS["sha-file"]}} | sha{{ARGS["sha-function"]}}sum -c^
         else
-            :sha{{ARGS["sha-function"]}}sum -c {{ARGS["sha-file"]}} --ignore-missing}}^
+            :sed -i 's/\r$//' {{ARGS["sha-file"]}} \
+&& sha{{ARGS["sha-function"]}}sum -c {{ARGS["sha-file"]}} --ignore-missing}}^
     else
         :sha{{ARGS["sha-function"]}}sum -c {{ARGS["sha-file"]}}}}}}

eng/dockerfile-templates/aspire-dashboard/Dockerfile.linux

@@ -23,6 +23,8 @@
     set aspireBaseUrl to cat(VARIABLES[cat("aspire-dashboard|", aspireMajorMinor, "|base-url|", VARIABLES["branch"])], "/aspire/", versionFolder, "/") ^
 
     set downloadUrl to cat(aspireBaseUrl, "aspire-dashboard-linux-", ARCH_SHORT, ".zip") ^
+    set outFile to "aspire_dashboard.zip" ^
+    set appDir to "/app" ^
     set sha to VARIABLES[join(["aspire-dashboard", aspireMajorMinor, "linux", ARCH_SHORT, "sha"], "|")]
 
 }}ARG REPO=mcr.microsoft.com/dotnet/aspnet
@@ -35,21 +37,22 @@ ARG ACCESSTOKEN}}
 }}
 # Retrieve Aspire Dashboard
 RUN dotnet_aspire_version={{aspireVersion}} \
-    && {{InsertTemplate("../Dockerfile.linux.download-dotnet", [
+    && {{InsertTemplate("../Dockerfile.linux.download-appliance", [
+        "product": "aspire_dashboard",
+        "productVersion": aspireVersion,
         "download-url": downloadUrl,
-        "out-file": "aspire_dashboard.zip",
-        "extract-to": "/app",
-        "sha-var-name": "aspire_dashboard_sha512",
-        "sha": sha
+        "sha": sha,
+        "file-name": outFile,
+        "extract-to": appDir
     ], "    ")}}
 
 
 # Aspire Dashboard image
 FROM {{aspnetBaseTag}}
 
-WORKDIR /app
-COPY --from=installer /app .
+WORKDIR {{appDir}}
+COPY --from=installer {{appDir}} .
 
 {{InsertTemplate("Dockerfile.envs")}}
 
-ENTRYPOINT [ "dotnet", "/app/Aspire.Dashboard.dll" ]
+ENTRYPOINT [ "dotnet", "{{appDir}}/Aspire.Dashboard.dll" ]

eng/dockerfile-templates/aspnet/Dockerfile.linux

@@ -51,7 +51,11 @@ RUN {{InsertTemplate("../Dockerfile.linux.install-pkgs",
     ])}}
 }}
 # Retrieve ASP.NET Core
-{{InsertTemplate("Dockerfile.linux.install-aspnet")}}
+RUN {{InsertTemplate("../Dockerfile.linux.download-dotnet", [
+    "product": "aspnet",
+    "extract-to": "/dotnet",
+    "extract-paths": ["./shared/Microsoft.AspNetCore.App"],
+], "    ")}}
 
 
 # ASP.NET Core image

eng/dockerfile-templates/aspnet/Dockerfile.linux-composite

@@ -42,7 +42,10 @@ RUN {{InsertTemplate("../Dockerfile.linux.install-pkgs",
     ])}}
 }}
 # Retrieve ASP.NET Composite Runtime
-{{InsertTemplate("../runtime/Dockerfile.linux.install-runtime", [ "is-composite-runtime": "true", ])}}
+RUN {{InsertTemplate("../Dockerfile.linux.download-dotnet", [
+    "product": "aspnet-composite",
+    "extract-to": when(isDistroless, "/usr/share/dotnet", "/dotnet")
+], "    ")}}
 {{ if isDistroless:
 RUN mkdir /dotnet-symlink \
     && ln -s /usr/share/dotnet/dotnet /dotnet-symlink/dotnet

eng/dockerfile-templates/aspnet/Dockerfile.linux.install-aspnet

@@ -7,10 +7,10 @@
     set monitorBaseUrl to cat(VARIABLES[cat("monitor|", monitorMajorMinor, "|base-url|", VARIABLES["branch"])], "/diagnostics/monitor/", versionFolder, "/")
 
 }}RUN dotnet_monitor_version={{monitorVersion}} \
-    && {{InsertTemplate("../Dockerfile.linux.download-dotnet", [
+    && {{InsertTemplate("../Dockerfile.linux.download-appliance", [
+        "product": "dotnet_monitor_base",
         "download-url": cat(monitorBaseUrl, "dotnet-monitor-base-$dotnet_monitor_version-linux-", ARCH_SHORT, ".tar.gz"),
-        "out-file": "dotnet-monitor-base.tar.gz",
-        "extract-to": "/app",
-        "sha-var-name": "dotnet_monitor_base_sha512",
-        "sha": VARIABLES[join(["monitor-base", monitorMajorMinor, "linux", ARCH_SHORT, "sha"], "|")]
+        "file-name": "dotnet-monitor-base.tar.gz",
+        "extract-to": "/app"
+        "sha": VARIABLES[join(["monitor-base", monitorMajorMinor, "linux", ARCH_SHORT, "sha"], "|")],
     ], "    ")}}

eng/dockerfile-templates/monitor-base/Dockerfile.linux.install-monitor-base

@@ -1,12 +1,14 @@
 {{
     _ ARGS:
-        is-internal (optional): Whether the Dockerfile is targeting an internal build of the product ^
+        is-internal (optional): Whether the Dockerfile is targeting an internal build of the product
+        is-standalone (optional): Whether the ENV instruction should be included ^
 
     set dotnetVersion to join(slice(split(PRODUCT_VERSION, "."), 0, 2), ".") ^
     set isStableBranding to (find(VARIABLES[cat("sdk|", dotnetVersion, "|build-version")], "-servicing") >= 0 ||
         find(VARIABLES[cat("sdk|", dotnetVersion, "|build-version")], "-rtm") >= 0) ^
     set runtimeVersion to when(isStableBranding && ARGS["is-internal"],
         VARIABLES[cat("dotnet|", dotnetVersion, "|product-version")],
         VARIABLES[cat("runtime|", dotnetVersion, "|build-version")])
+
 }}# .NET Runtime version
-{{if INDENT ="":ENV }}DOTNET_VERSION={{runtimeVersion}}
+{{if ARGS["is-standalone"]:ENV }}DOTNET_VERSION={{runtimeVersion}}

eng/dockerfile-templates/runtime/Dockerfile.envs

@@ -51,7 +51,10 @@ RUN {{InsertTemplate("../Dockerfile.linux.install-pkgs",
     ])}}
 }}
 # Retrieve .NET Runtime
-{{InsertTemplate("Dockerfile.linux.install-runtime")}}{{
+RUN {{InsertTemplate("../Dockerfile.linux.download-dotnet", [
+    "product": "runtime",
+    "extract-to": when(isDistroless, "/usr/share/dotnet", "/dotnet")
+], "    ")}}{{
 if isDistroless:
 
 RUN mkdir /dotnet-symlink \
@@ -61,7 +64,10 @@ RUN mkdir /dotnet-symlink \
 # .NET runtime image
 FROM {{runtimeDepsBaseTag}}
 
-{{InsertTemplate("Dockerfile.envs", ["is-internal": isInternal])}}
+{{InsertTemplate("Dockerfile.envs", [
+    "is-internal": isInternal,
+    "is-standalone": "true"
+])}}
 {{ if isDistroless:
 COPY --from=installer ["/usr/share/dotnet", "/usr/share/dotnet"]
 COPY --from=installer ["/dotnet-symlink", "/usr/bin"]