Error in Azure because of netcore 3.1.4 security patch

Question

We build our web app with Azure DevOps pipelines and deploy into Azure with an Azure DevOps release. I think today netcore got updated to netcore 3.1.4 on our build agent. But now our Azure DevOps deployment fails, because the netcore 3.1.4 runtime is not yet installed on our app service in Azure.

The error message we are getting:

    Could not find 'aspnetcorev2_inprocess.dll'. Exception message:
It was not possible to find any compatible framework version
The framework 'Microsoft.AspNetCore.App', version '3.1.4' was not found.
  - The following frameworks were found:
      2.2.8 at [D:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
      3.0.3 at [D:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
      3.1.1 at [D:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
      3.1.3 at [D:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]

You can resolve the problem by installing the specified framework and/or SDK.

This makes sense and can happen, but what is the best way to go about fixing this?

I could fix my build to a specific netcore version. But I don't like this, because we do want to keep updating to newer versions, but we don't want a version that is not available in Azure app service.

Am I correct in thinking that we would have to install our services self contained, because otherwise we could get into this issue more often when Azure DevOps is faster with installing patches than Azure?

Or is there a way to force update Azure app service to the new netcore 3.1.4 security patch which would be ideal I think?

I just need some guidance in what is the best approach to fix this issue?

Answer 1

If you want version of netcore to be automatically updated as an updated version is available, building our service as self-container seems like a good option: no need to have anything installed on the machine running (ie the version on Azure DevOps and Azure Web App don't have to match).

The main downside of this approach is that the build is going to less deterministic: running your build twice with on the same commit might create different binaries depending on what is currently install on the build agent. if you want to know more, here is an interesting post arguing about why deterministic build is important.

To keep the build determinitic, you can use the Use.Net Core task at the beginning of the build (that will make sure that the desired version of the dotnet sdk is on the agent). You could also add a global.json in your repository to lock for both the build on your dev box and in Azure Dev Ops.

Answer 2

This is a common topic of discussion, and you can find a lot of blogs advocating one or another side.

There were big discussions started when Microsoft released LTS net core 3.1 and it took some time before Azure start supporting the 3.1 runtime as well.

You could find a lot of blogs strongly suggesting to deploy your web apps as self-contained (runtime is ~100MB in size) and cut loose the dependency towards Microsoft supporting the latest runtime. While others advocate that the applications should remain as light weight as possible and the runtime should be set in the pipeline. But that is still up on you. I, myself prefer to deploy self-contained apps after my bad experience with net-core 3.1.

There is no established best practice.

Answer 3

Or is there a way to force update Azure app service to the new netcore 3.1.4 security patch which would be ideal I think?

AFAIK, there is no such a way to force update Azure app service to the new netcore 3.1.4 .

We could keep track on the latest releases on the https://aspnetcoreon.azurewebsites.net/ , but we could not update it at this moment.

To resolve this issue, we recommend that you publish your app as self-contained produces an application, which includes the .NET Core runtime and libraries, and your application and its dependencies. Users of the application can run it on a machine that doesn't have the .NET Core runtime installed.

Publishing your app as self-contained produces a platform-specific executable. The output publishing folder contains all components of the app, including the .NET Core libraries and target runtime. The app is isolated from other .NET Core apps and doesn't use a locally installed shared runtime. The user of your app isn't required to download and install .NET Core.

You could check this document .NET Core application publishing overview for some more details.

Hope this helps.

Answer 4

In the past, I've run into the same situation, you can fix this by manually setting the value from RunTime Stack drop down. If you manually update the build processes.yml file

 RuntimeStack: 'DOTNETCORE|3.1'