Secure Dockerfiles
Harden Base Images¶
Component | Description |
---|---|
Use minimal images |
|
Use non-root user |
|
Reduce attack surface |
|
Use COPY |
Use COPY instead of ADD in the Dockerfile
|
Restrict RUN Commands |
|
Build context and dockerignore |
|
Process¶
Component | Description |
---|---|
Update your images frequently | |
Linting | Tools like hadolint can detect bad practices in your Dockerfile, and even expose issues inside the shell commands executed by the RUN instruction |
Container Scanning | See Container Scanning |
Sample Dockerfiles¶
FROM alpine:3.3 (1)
ENV VERSION 1.11.2
ENV SHA256 8c2e0c35e3cda11706f54b2d46c2521a6e9026a7b13c7d4b8ae1f3a706fc55e1 (2)
WORKDIR /usr/bin
RUN apk update && \
apk upgrade && \ (3)
apk --update add coreutils wget ca-certificates && \
wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz && \
wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz.sha256 && \
sha256sum -c docker-$VERSION.tgz.sha256 && \ (4)
echo "$SHA256 docker-$VERSION.tgz" | sha256sum -c - && \ (4)
tar -xzvf docker-$VERSION.tgz -C /tmp && \
mv /tmp/docker/docker . && \
chmod u+x docker* && \
rm -rf /tmp/docker* && \ (5)
apk del wget ca-certificates && \ (5)
rm -rf /var/cache/apk/* docker-$VERSION.tgz docker-$VERSION.tgz.sha256 (5)
COPY ./docker-garby.sh /docker-garby.sh (6)
RUN useradd -d /home/<username> -m -s /bin/bash <username> (7)
USER <username> (7)
ENTRYPOINT ["/bin/sh", "/docker-garby.sh"]
- Do we trust the remote repository? Is there any reason we’re not using a homebuilt base image?
- Hash to verify downloaded file
- Keep the container up-to-date
- Verify downloaded files
- Remove unused applications and unnecessary directories
- COPY local files, ADD remote files
- Create an unprivileged USER if possible
- GnuPG sign the commit, git -s -S -m '...'
FROM scratch (1)
ADD ./wheezy-1603172157.txz / (2)
ENV SHA 00c3cc1b8968d3b5acf2ac9fc1e36f2aa30dfd4ff44a35d8d3bd1948914d722d (3)
ONBUILD RUN apt-get update && apt-get -y upgrade (4)
- Use scratch
- Add a compressed, minimal, base
- Hash for the above base
- Force containers based on this image to keep up-to-date
- GnuPG sign the commit, git -s -S -m '...'