Authenticated Nuget Feeds Inside Docker

September 2, 2019

If you are working with .NET Core, containers, and Azure DevOps Pipelines (or whatever they are called now), you may come across a common scenario where you are using private Nuget packages and you need to restore them from inside a Docker container. There is a related thread on GitHub here. The devops pipeline yaml file uses sed to update a nuget.config on the fly with credentials from the build agent.

Here is a sample nuget.config that would be checked into the base of your repository. On your devbox, it could be used as-is without credentials in it.

<?xml version="1.0" encoding="utf-8"?>
    <clear />
    <add key="myrepo" value="" />
    <add key="NuGet" value="" />

Here is a sample azure-pipeline.yaml:

name: "$(Year:yyyy).$(Month).$(DayOfMonth)$(Rev:.r)"

- repo: self

  fullImageName: '$(Build.BuildId)'

  - stage: stage1
    displayName: "Build XYZ"
      - job: myjob
        displayName: "Docker images"
          vmImage: 'Ubuntu-16.04'
          - bash: |
              set -exo pipefail
              sed -i 's;</packageSources>;</packageSources><packageSourceCredentials><myrepo><add key="Username" value="any" /><add key="ClearTextPassword" value="$(System.AccessToken)" /></myrepo></packageSourceCredentials>;' nuget.config              
              docker build --file Dockerfile --tag $(fullImageName) .              
            displayName: 'Build Docker images'

          - task: Docker@1
            displayName: push docker image with build tag
              command: push
              azureContainerRegistry: ''
              azureSubscriptionEndpoint: 'X'
              imageName: $(fullImageName)

Here is a sample Dockerfile (There is nothing special here):

FROM as build
WORKDIR /app/myapp
COPY . .
RUN dotnet publish myapp/myapp.csproj -c release -r linux-x64 -o /out/build

FROM as runtime
WORKDIR /app/myapp
COPY --from=build /out/build/* ./
ENTRYPOINT [ "./myapp" ]