Validate container tunnel reserved container name

[Copilot]

Description

Adds DCP container preparation validation that fails application startup when the Aspire container tunnel is enabled and a container resource name, explicit container name (WithContainerName), or network alias (WithContainerNetworkAlias) matches the tunnel-reserved container name aspire, using case-insensitive comparison. This prevents DNS/name conflicts with the container tunnel.

Validation

• Installed/restored local SDK and packages with ./restore.sh.
• Ran targeted tests: dotnet test --project tests/Aspire.Hosting.Tests/Aspire.Hosting.Tests.csproj --no-launch-profile -- --filter-method "*.RunApplicationAsync_ThrowsWhenContainerResourceNameConflictsWithContainerTunnelName" --filter-method "*.RunApplicationAsync_ThrowsWhenExplicitContainerNameConflictsWithContainerTunnelName" --filter-method "*.RunApplicationAsync_ThrowsWhenNetworkAliasConflictsWithContainerTunnelName" --filter-method "*.RunApplicationAsync_AllowsContainerNameMatchingContainerTunnelNameWhenContainerTunnelDisabled" --filter-not-trait "quarantined=true" --filter-not-trait "outerloop=true"
• Ran nearby tests: dotnet test --project tests/Aspire.Hosting.Tests/Aspire.Hosting.Tests.csproj --no-launch-profile -- --filter-class "*.DcpExecutorTests" --filter-not-trait "quarantined=true" --filter-not-trait "outerloop=true" (101 tests passed)

Reviewer validation steps:

1. Install this PR build with eng/scripts/get-aspire-cli-pr.sh <PR_NUMBER> or eng/scripts/get-aspire-cli-pr.ps1 <PR_NUMBER>.
2. Create an AppHost with the container tunnel enabled and a container named aspire or ASPIRE (via resource name, WithContainerName, or WithContainerNetworkAlias).
3. Run the AppHost and verify startup fails with a message indicating the name conflicts with the Aspire container tunnel container name.
4. Disable the container tunnel and verify the same container name is no longer rejected by this validation.

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
    • Link to aspire.dev issue:
      • New issue
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 16748

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 16748"

[Copilot]

Pull request overview

Adds startup-time validation in Aspire Hosting so container resources cannot use the tunnel-reserved aspire name when the DCP container tunnel feature is enabled, and adds DCP executor tests for the new behavior.

Changes:

• Added reserved-name validation in ContainerCreator for container resource names and explicit container names.
• Added DCP executor tests covering rejection when the tunnel is enabled and acceptance when it is disabled.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
src/Aspire.Hosting/Dcp/ContainerCreator.cs	Adds validation for tunnel-reserved container naming during container preparation.
tests/Aspire.Hosting.Tests/Dcp/DcpExecutorTests.cs	Adds tests for reserved-name rejection and allowed behavior when the tunnel is disabled.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• 7k6vsblobprodcus337.vsblob.vsassets.io
  • Triggering command: /usr/share/dotnet/dotnet dotnet test --project tests/Aspire.Hosting.Tests/Aspire.Hosting.Tests.csproj --no-launch-profile -- --filter-method *.RunApplicationAsync_ThrowsWhenContainerResourceNameConflictsWithContainerTunnelName --filter-method *.RunApplicationAsync_ThrowsWhenExplicitContainerNameConflictsWithContainerTunnelName --filter-method *.RunApplicationAsync_ThrowsWhenNetworkAliasConflictsWithContainerTunnelName --filter-method *.RunApplicationAsync_AllowsContainerNameMatchingContainerTunnelNameWhenContainerTunnelDisabled --filter-not-trait quarantined=true --filter-not-trait outerloop=true (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[aspire-repo-bot]

No documentation PR is required for this change.

Reason: This PR adds an internal startup validation that throws a descriptive DistributedApplicationException when a container resource name, explicit container name (WithContainerName), or network alias (WithContainerNetworkAlias) conflicts with the reserved Aspire container tunnel container name aspire (when the container tunnel is enabled). No new public APIs were introduced, and the error messages are self-explanatory. The PR author also confirmed no docs update is needed.

Generated by PR Documentation Check for issue #16748 · ● 113.6K · ◷