In the previous article : https://lemtirisalah.com/generate-asp-net-5-webapi-docker-image-and-push-it-to-azure-container-registry-acr/ , we went through the steps of generating ASP.NET 5 Web API image and pushing it to Azure Container Registry (ACR).
In today’s tutorial, I will show you how we can deploy ASP.NET 5 WebAPI to Azure web App from ACR and running SSH server in the container.
Before moving forward to our topic, it’s is important to note that accessing containers in Azure App service requires a SSH server running in the container itself. It is not a mandatory step, but it is the only way to access the Docker container remotely. However, the logs are still available in the Log Stream in the portal, or the advanced tools (Kudu).
The port that should be opened, for security matters, is port 2222. It’s not the default port for SSH connection, but Azure enforce accessing the container by establishing an Authentication to Azure AD. You can find more information in this link : https://docs.microsoft.com/fr-fr/azure/app-service/configure-custom-container?pivots=container-linux#enable-ssh
So, let’s start!
1- Create SSHD Config file
As I stated before, executing a SSH server in the container will ensure a SSH connection to our container remotely for debugging, executing scripts etc.
IMPORTANT : It is highly recommended to use port 2222 for exposing the SSH server, in order to take advantage of Azure AD authentication over port 2222.
Create a sshd_config file with the following content, and save it in the same folder where you created your Dockerfile (This is the configuration file that will be used by the SSH server in the container).
# This is ssh server systemwide configuration file.
#
# /etc/sshd_config
Port 2222
ListenAddress 0.0.0.0
LoginGraceTime 180
X11Forwarding yes
Ciphers aes128-cbc,3des-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-sha1-96
StrictModes yes
SyslogFacility DAEMON
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin yes
Subsystem sftp internal-sftp2- Update the Docker file
In this Step, I assume you have already the ASP.NET 5 Web API project as well as the Docker file. If you don’t have these items yet, I recommend you to have a look in my previous article : https://lemtirisalah.com/generate-asp-net-5-webapi-docker-image-and-push-it-to-azure-container-registry-acr/
The final Docker file will look something like :
FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build-env
WORKDIR /app
EXPOSE 2222 80
# Restore
WORKDIR /src
COPY . .
RUN dotnet restore "WebApi/WebApi.csproj"
# Build
WORKDIR "/src/WebApi"
RUN dotnet build "WebApi.csproj" --no-restore -c Release -o /app/build
# Publish
RUN dotnet publish "WebApi.csproj" -c Release -o /app/publish
# Runtime image
FROM mcr.microsoft.com/dotnet/aspnet:5.0
WORKDIR /app
COPY --from=build-env /app/publish .
# SSH
RUN apt update \
&& apt install -y --no-install-recommends openssh-server \
&& mkdir -p /run/sshd \
&& echo "root:Docker!" | chpasswd
COPY sshd_config /etc/ssh/sshd_config
ENTRYPOINT ["/bin/bash", "-c", "/usr/sbin/sshd && dotnet WebApi.dll"] I will not go over all the entries of the Docker file, as I did it in my last article. I will focus more in the lines that covers the SSH server :
EXPOSE 2222 80 In addition to port 80, expose port 2222
# SSH
RUN apt update \
&& apt install -y --no-install-recommends openssh-server \
&& mkdir -p /run/sshd \
&& echo "root:Docker!" | chpasswd
COPY sshd_config /etc/ssh/sshd_config
ENTRYPOINT ["/bin/bash", "-c", "/usr/sbin/sshd && dotnet WebApi.dll"] A- Run the apt update to install openssh-server
B- Copy the sshd_config created earlier
C- The entry point will execute the SSH server as well as the application
3- Test the container locally
Before deploying to Azure, It is recommended that you test the application locally in your Docker engine, to make sure that the configuration is working as expected.
First of all, build the docker image with the command :
docker build -t salah/webapi:1.0 .
Run the container locally with the command:
docker run -d -p 8099:80 -p 2222:2222 --name webapi_instance salah/webapi:1.0Check your browser in port 8099, to make sure the application is running
And make a telnet to localhost to test if the container is listening to port 2222
That’s perfect ! The container is set-up correctly.
4- Create Azure Container Registry and PUSH the image
I will be using Azure CLI to create Azure resources:
Login to Azure :
az loginCreate the resource group :
az group create --name deploy-aspnet5api-ssh-rg --location westeuropeCreate the ACR :
az acr create --name demodeployingaspnet5ssh --resource-group deploy-aspnet5api-ssh-rg --sku Basic --admin-enabled trueOnce the resource group and the ACR are created, we will push the image to the repository :
Make a connection to the ACR:
az acr login --name demodeployingaspnet5sshMake a tag to the container with ACR name as prefix
docker tag salah/webapi:1.0 demodeployingaspnet5ssh.azurecr.io/salah/webapi:1.0Push the image to ACR :
docker push demodeployingaspnet5ssh.azurecr.io/salah/webapi:1.0
Execute the command below, to check if the repository is updated to ACR :
az acr repository list --name demodeployingaspnet5ssh
5- Create the plan App service and Web App
Create the plan app service that will host our web application. The sku used is B1 for our test, but you can choose any sku depending on your needs.
az appservice plan create --name deploy-aspnet5api-ssh-ps --resource-group deploy-aspnet5api-ssh-rg --is-linux --sku B1Create the web app service for containers as follows :
az webapp create --resource-group deploy-aspnet5api-ssh-rg --plan deploy-aspnet5api-ssh-ps --name deploy-aspnet5api-ssh-wa --deployment-container-image-name demodeployingaspnet5ssh.azurecr.io/salah/webapi:1.06- Assign managed identity for Web App
This step consists of creating a managed identity of the web application and assign it the role to pull images from ACR.
Create the managed identity, and save it to a local variable
$principal_id=(az webapp identity assign --resource-group deploy-aspnet5api-ssh-rg --name deploy-aspnet5api-ssh-wa --query principalId --output tsv)Get the subscription id :
$subsc_id=(az account show --query id --output tsv)Create the role assignment to the managed identity :
az role assignment create --assignee $principal_id --scope /subscriptions/$subsc_id/resourceGroups/deploy-aspnet5api-ssh-rg/providers/Microsoft.ContainerRegistry/registries/demodeployingaspnet5ssh --role "AcrPull"Finally, update the config setting to point to the image :
az webapp config container set --name deploy-aspnet5api-ssh-wa --resource-group deploy-aspnet5api-ssh-rg --docker-custom-image-name demodeployingaspnet5ssh.azurecr.io/salah/webapi:1.0 --docker-registry-server-url https://demodeployingaspnet5ssh.azurecr.io7- Check the container in Azure portal
Connect to Azure portal and access the application in the URL : https://deploy-aspnet5api-ssh-wa.azurewebsites.net/swagger/index.html , and make sure the application is running.
Then under Development tools, go to SSH and open the Web SSH console :
You will be prompted to select your account
After authentication, you will have access to the container through Web SSH console :
Final words …
In this article, we deployed an ASP.NET 5 WebAPI image to Azure app service for containers, and we added a SSH server in the container to access it remotely over port 2222.
Leave a comment if you find this article useful, and I will be pleased to answer your questions if you have any problem.
Salah.
Be First to Comment