You can leverage this existing process and add a step that will copy the artifact into the app image.įor full container-only build you can use multistage build feature. If you’re migrating your app to container environment you probably already have some kind of CI/CD process or at least you build your artifacts on Jenkins or other server. If you use the same image for building and running your container, it will be very large as development tools have many dependencies and not only they will enlarge your final image but also download binaries that could be used by an attacker. java, golang) it’s better to decouple building application artifact from building a container image. Network connectivity tools: ssh, telnet, rsh Separate building from embeddingįor languages that need compiling (e.g. Utilities that can be used to download remote content: wget, curl, http, scp, rsync Package management tools: yum, rpm, dpkg, aptĪny language interpreter that is unused by your app: ruby, perl, python, etc. ![]() Afterward, you don’t need it and you can disable it by deleting binaries used for that.įor Debian just put the following somewhere at the end of your Dockerfileįor other base images you may want to delete the following file categories: Container images are immutable and thus any software should be installed during a container image build. Container images follow a simple unix philosophy - they should do one thing (and do it well) which is run a single app or service. Delete unnecessary filesĭo you need to install any packages from a running container? If you answered yes then you probably doing it wrong. Looks like Debian is a much better choice, it contains maybe too many files but it’s very easy to fix - see below. Unfortunately, neither official Ubuntu nor CentOS don’t have slim versions. Still, the less binaries are present, the less potential files are available for an attacker that might use some kind of zero-day exploits in them. They are mostly useful for network troubleshooting and I doubt if ping is a deadly weapon. Besides less exciting doc files (list available here) it’s missing the following binaries For example - the most popular base image is Debian and it’s standard version debian:jessie weights 50MB while debian:jessie-slim only 30MB. They are often called slim images and have less utils included. Since you want to keep your images small choose “fit” versions of base images. Recommended practices Use slim versions for base images That is exactly why you need to keep your container images small and provide libraries and binaries that are really essential and used by the process running in a container. ![]() That would make things harder or even impossible to make harm to your systems. What if he can’t access tools that will enable him to do so? No scp, curl, wget, python or whatever he could use. In case your application running inside a container gets compromised and the attacker gets access to an environment with a shell, he needs to use his own tools and often it’s the first thing he does - he downloads them on the host. It’s also a reason why container gained so much popularity - whole solutions, often quite complex are now consisting of multiple containers running from images available publicly on the web (mostly from Docker hub) that you can run in a few minutes. The first factor is the size of a container image. That’s when I decided to help all of you who wants strengthen security of their containers images. This is particularly important, as it’s often the only impediment blocking potential implementation of container-based environment and also taking away chances for speeding up innovation. I’ve heard a lot of concerns around it and decided to write about the most important factors that have the biggest impact on the security of systems based on containers running on Kubernetes. It’s no different for containers and Kubernetes. Security is a major factor when it comes to a decision of whether to invest your precious time and resources in new technology.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |